Security News > 2020 > November > Cisco Working on Patch for Code Execution Vulnerability in VPN Product
Cisco informed customers on Wednesday that it's working on a patch for a code execution vulnerability affecting its AnyConnect product.
According to the networking giant, the product is affected by a flaw, tracked as CVE-2020-3556, that can be exploited by a local, authenticated attacker to cause an AnyConnect user to execute a malicious script.
"An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user," Cisco said in its advisory.
The IOS XR flaw can allow a remote, unauthenticated attacker to execute unsigned code during the Preboot eXecution Environment boot process on an impacted device.
Cisco has warned Webex customers that an attacker can execute arbitrary code on their systems by tricking them into opening malicious ARF or WRF files with Webex Network Recording Player for Windows or Cisco Webex Player for Windows.
News URL
Related news
- FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability (source)
- CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Fortra Issues Patch for High-Risk FileCatalyst Workflow Security Vulnerability (source)
- Cisco fixes root escalation vulnerability with public exploit code (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- Week in review: Vulnerability allows Yubico security keys cloning, Patch Tuesday forecast (source)
- Progress Software Issues Patch for Vulnerability in LoadMaster and MT Hypervisor (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-06 | CVE-2020-3556 | Unspecified vulnerability in Cisco Anyconnect Secure Mobility Client 4.9(3052)/98.145(86) A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. | 7.3 |