CVE-2023-20178
Published: 28 June 2023
Summary
CVE-2023-20178 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Cisco Anyconnect Secure Mobility Client. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2023-20178 is an improper access control issue (CWE-276) in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. It arises because incorrect permissions are set on a temporary directory created during updates, which run after a VPN connection succeeds, and carries a CVSS 3.1 score of 7.8.
A low-privileged authenticated local attacker can exploit the flaw by invoking a specific Windows installer function after VPN establishment, resulting in arbitrary code execution with SYSTEM privileges.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw addresses the issue and its remediation. The EPSS score has remained flat at a peak of 0.2774 with no material rise observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24357
Vulnerability details
A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update…
more
process is executed after a successful VPN connection is established. This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Access control policy can specify and enforce secure default permissions for resources.
Guides setting of default permissions to the minimum required level.
Establishes requirements for appropriate default permissions on system resources as part of configuration management.
Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones.
Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources.
Requires documented processes that include setting and maintaining correct default permissions for configuration items.
Requires addressing secure default permissions in physical and environmental protection controls.
Tailoring explicitly overrides or scopes default permission assignments in the baseline to match the system's actual risk and operational needs.