CVE-2020-3433
Published: 17 August 2020
Summary
CVE-2020-3433 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Cisco Anyconnect Secure Mobility Client. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
A vulnerability in the interprocess communication channel of Cisco AnyConnect Secure Mobility Client for Windows allows an authenticated local attacker to perform a DLL hijacking attack. The issue stems from insufficient validation of resources loaded by the application at runtime and is tracked under CWE-427. Exploitation occurs when a crafted IPC message is sent to the AnyConnect process, resulting in arbitrary code execution with SYSTEM privileges on the affected Windows system.
An attacker must possess valid local credentials on the Windows host to trigger the flaw. Successful exploitation grants the ability to run arbitrary code at the highest privilege level without further user interaction, affecting confidentiality, integrity, and availability.
The Cisco Security Advisory cisco-sa-anyconnect-dll-F26WwJW provides official guidance on the issue, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity. Public exploit code has also been shared via Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-24704
Vulnerability details
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials…
more
on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.
- CWE(s)
- KEV Date Added
- 24 October 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the root cause of insufficient validation of IPC messages and runtime-loaded resources that enables the DLL hijacking.
Requires integrity verification of software components and loaded resources, blocking crafted or unauthorized DLLs from executing with SYSTEM privileges.
Limits the privileges of the AnyConnect process and local users so that successful exploitation cannot immediately yield SYSTEM-level code execution.