Cisco Fixes High-Severity Code Execution and VPN Hijacking Flaws

Cisco announced patches for high-severity vulnerabilities on Wednesday, March 6, 2024.
Cisco Fixes High-Severity Code Execution and VPN Hijacking Flaws

Critical security vulnerabilities patched in the Cisco Secure Client VPN application. Update now to protect your VPN connections from credential theft, unauthorized access, and potential code execution. This advisory also details unpatched flaws in Cisco Small Business wireless access points.

Network equipment giant Cisco has addressed critical security flaws impacting its Secure Client enterprise VPN application and endpoint security solutions. For your information, Secure Client is widely used to establish secure Virtual Private Network (VPN) connections. On Wednesday, Cisco announced patches for high-severity vulnerabilities CVE-2024-20337 (CVSS score: 8.2) and CVE-2024-20338 (CVSS score: 7.3).

CVE-2024-20337 is a Carriage Return Line Feed (CRLF) injection vulnerability allowing attackers to execute script code or access sensitive information in a browser if configured with the SAML External Browser feature.

The flaw affects Linux, macOS, and Windows versions of Secure Client, and can be exploited in CRLF injection attacks. CRLF injections are vulnerabilities where attackers inject CR and LF characters into web applications, adding extra headers or causing browsers to ignore original content.

Unauthenticated remote attackers can execute arbitrary scripts or steal sensitive information like users’ valid SAML authentication tokens to establish a remote access VPN session with the affected user’s privileges. However, individual hosts and services would require additional credentials for successful access, Cisco noted in its advisory.

Amazon security researcher Paulos Yibelo Mesfin discovered this flaw and it has been fixed in versions 4.10.04065, 4.10.08025, 5.0, and

CVE-2024-20338 only affects Cisco Secure Client for Linux and its successful exploitation requires authentication. It can only be exploited by an authenticated, local attacker. The vulnerability allows the attacker to execute arbitrary code on an affected device with root privileges. They can copy a malicious library file to a specific directory and persuade an administrator to restart a specific process. 

Cisco advises enterprise admins to upgrade to one of the fixed versions, as version of the VPN application resolves the bug.

Cisco has announced patches for several medium-severity flaws in AppDynamics Controller and Duo Authentication for Windows Logon and RDP, potentially leading to data leaks and secondary authentication bypass. The tech giant also warned about two flaws in Cisco Small Business 100, 300, and 500 Series wireless access points (APs), tracked as CVE-2024-20335, and CVE-2024-20336.

These flaws allow remote attackers to execute arbitrary code as the root user. However, Cisco won’t patch them because their Wireless APs have reached the end-of-life process. Similarly, the medium-severity flaws will remain unpatched for the same reason. Moreover, Cisco notes that it is not aware of any of these vulnerabilities being exploited in the wild.

Cisco has emphasized the need for cybersecurity vigilance and adopting security best practices. These include regularly updating software, using strong passwords and multi-factor authentication, being cautious with suspicious links, and preferring trustworthy Wi-Fi networks for sensitive VPN connections.

  1. New Cisco Web UI Vulnerability Exploited by Attackers
  2. Cisco Confirms Network Breach After Employee’s Gmail was Hacked
  3. Unpatched Cisco SD-WAN Manager Systems Exposed to DoS Attacks
  4. New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
  5. Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
Related Posts