Cisco patches Secure Client VPN flaw that could reveal authentication tokens (CVE-2024-20337)
Cisco has fixed two high-severity vulnerabilities affecting its Cisco Secure Client enterprise VPN and endpoint security solution, one of which (CVE-2024-20337) could be exploited by unauthenticated, remote attackers to grab users’ valid SAML authentication token.
“The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user,” Cisco says, but notes that “individual hosts and services behind the VPN headend would still need additional credentials for successful access.”
Cisco Secure Client vulnerabilities (CVE-2024-20337, CVE-2024-20338)
CVE-2024-20337 is a carriage return line feed (CRLF) injection vulnerability.
“An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token,” the company explained.
The vulnerability affects specific Secure Client for Windows, macOS and Linux versions – if the VPN headend (i.e., termination point for the VPN tunnels) is configured with the SAML External Browser feature.
CVE-2024-20338, on the other hand, affects only Cisco Secure Client for Linux if it has the ISE Posture module installed; can only be exploited by an authenticated, local attacker; and could allow the attacker to execute arbitrary code on an affected device with root privileges.
There is no currently no indication that either of these flaws are being exploited by attackers, but enterprise admins should nevertheless upgrade to one of the fixed versions quickly.
Other vulnerabilities patched (and not)
This time around, Cisco has also patched several medium-severity vulnerabilities in Duo Authentication for Windows Logon and RDP and AppDynamics Controller, and warned about two flaws (CVE-2024-20335, CVE-2024-20336) in Cisco Small Business 100, 300, and 500 Series wireless access points (APs) that could allow authenticated, remote attackers to execute arbitrary code as the root user.
The company doesn’t plan to patch those last two, since those wireless APs have entered the end-of-life process. “Customers are encouraged to migrate to the Cisco Business Access Point Series,” Cisco advises.