Cisco has released patches to address a high-severity security flaw affecting its Secure Client software that could be exploited by a hacker to open a VPN session with that of a targeted user.
The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) attack against a user.
Originating as a result of insufficient validation of user-supplied input, a threat actor could exploit the flaw to trick a user into clicking a specially crafted link while establishing a VPN session.
“A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive browser-based information, including a valid SAML token,” the company said in an advisory.
“The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. The individual hosts and services behind the VPN headend would still need additional credentials for successful access.”
The vulnerability affects Secure Client for Windows, Linux, and macOS and has been resolved in the following releases:
- Before 4.10.04065 (not vulnerable)
- 4.10.04065 and later (fixed in 4.10.08025)
- 5.0 (migration to a fixed version)
- 5.1 (fixed in 5.1.2.42)
Amazon Security Researcher Paulos Yibelo Mesfin was credited with discovering and reporting the flaw, telling The Hacker News that the flaw allows attackers to access local internal networks when a target visits a website under their control.
Cisco also released fixes for CVE-2024-20338 (CVSS score: 7.3), another high-severity flaw in Secure Client for Linux that could allow an authenticated, local attacker to elevate privileges on an affected device. It has been fixed in version 5.1.2.42.
“An attacker could exploit this vulnerability by copying a malicious library file to a specific filesystem directory and convincing an administrator to restart a specific process,” he said. “A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.”