Cisco has disclosed a critical vulnerability in the SAML authentication process of its Cisco Secure Client software. This vulnerability could potentially allow unauthenticated, remote attackers to conduct a Carriage Return Line Feed (CRLF) injection attack.
This flaw poses a significant risk to users by enabling attackers to execute arbitrary script code in the user’s browser or access sensitive information.
Understanding the Vulnerability
The vulnerability, identified due to insufficient validation of user-supplied input, can be exploited by an attacker by persuading a user to click on a specially crafted link while establishing a VPN session.
Malware analysis can be fast and simple. Just let us show you the way to:
- Interact with malware safely
- Set up virtual machine in Linux and all Windows OS versions
- Work in a team
- Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
If successful, the attacker could leverage this to execute arbitrary script code in the browser or access sensitive, browser-based information, including valid SAML tokens.
These tokens could then be used to establish a remote access VPN session with the privileges of the affected user. However, individual hosts and services behind the VPN headend would still require additional credentials for access.
Affected versions of Cisco Secure Client include those running on Linux, macOS, and Windows platforms, specifically when configured with the SAML External Browser feature in conjunction with a vulnerable release.
The vulnerability does not impact Secure Client AnyConnect for Android, Secure Client (including AnyConnect) for Universal Windows Platform, or Secure Client AnyConnect VPN for iOS.
Fixed an Infected Versions
Cisco has taken steps to address this vulnerability by releasing software updates. The versions impacted and their respective fixes are as follows:
- Versions earlier than 4.10.04065 are not vulnerable.
- Versions 4.10.04065 and later, including 5.0 and 5.1, are vulnerable.
- The first fixed release for versions 4.10.04065 and later is 4.10.08025.
- For version 5.0, users are advised to migrate to a fixed release.
- Version 5.1 is fixed in release 5.1.2.42.
Users are encouraged to upgrade to the appropriate fixed software release to mitigate the risk posed by this vulnerability.
Cisco has made these updates free for customers with service contracts, accessible through their usual update channels.
It’s important to note that no workarounds address this vulnerability, making it crucial for affected users to apply the provided software updates to secure their systems.
Additionally, customers should ensure that their devices have sufficient memory and that the new release will continue to properly support current hardware and software configurations.
For customers without service contracts, upgrades can be obtained by contacting the Cisco Technical Assistance Center (TAC), with the product serial number and the URL of the advisory as evidence of entitlement to a free upgrade.
This incident highlights the importance of maintaining up-to-date software and being vigilant against potential security threats.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.