The An圜onnect IPC protocol has already been studied, in particular in SerializingMe’s article part 1 and part 2, and several exploits (ab)using this protocol were made available (e.g. Since the content is not encrypted, the main purpose of each message can be understood or at least guessed. Therefore, it’s possible to capture these communications by sniffing the loopback interface with Wireshark. The GUI and other components (particularly in our case, the “downloader” component - vpndownloader.exe) of this solution communicate with the VPN agent thanks to an Inter-Process Communication (IPC) mechanism on the TCP port 62522 (loopback network interface only). vpnui.exe - An圜onnect GUI, running as the current logged user.vpnagent.exe - Cisco An圜onnect Secure Mobility Agent, a service running as Local System account.Such feature has already been affected by several vulnerabilities in the past few years (including the mentioned CVE-2020-3153), and now, the three vulnerabilities detailed in this post.Īn圜onnect is composed of numerous executables and libraries but the two main components are: path to vpndownloader.exe).Īccording to Cisco’s documentation, An圜onnect can be updated in several ways, and, in particular, using an auto-update feature. Some adjustments are probably needed (e.g. Cisco An圜onnect 64-bit versions have not been tested.The Denial of Service (CVE-2020-3434) seems to be fixed in version 5, but not the “Always-On” bypass (CVE-2020-3435).The privilege escalation vulnerability (CVE-2020-3433) was fixed in the version 6, released on the 1 (before the publication of Cisco’s security advisories).
#Cisco anyconnect 4.6 windows 7 windows 10
Beginning of May 2020, I sent all details to Cisco (responsible disclosure), and these vulnerabilities are now public since beginning of August 2020. During this analysis, I found three additional vulnerabilities in the same component.
Exploits for CVE-2020-3433, CVE-2020-3434 and CVE-2020-3435 are available on GitHub: IntroductionĮnd of April 2020, I analyzed the technical advisory from SSD Secure Disclosure on the CVE-2020-3153 vulnerability affecting Cisco An圜onnect Secure Mobility Client for Windows (discovered by Yorick Koster).