In order to address a high-severity security weakness in its Secure Client software that could allow a threat actor to start a VPN session with the targeted user, Cisco has published updates. The networking equipment manufacturer stated that an unauthorized, remote attacker might execute a Carriage Return Line Feed (CRLF) injection attack against a user due to the vulnerability, which is listed as CVE-2024-20337 (CVSS score: 8.2).

A threat actor could make use of this vulnerability, which results from inadequate validation of user-supplied input, to fool a user into clicking on a specially constructed link in the process of starting a VPN session.

The company stated in an advisory that “a successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. After that, the attacker may create a remote access VPN session with the compromised user's rights by using the token. For successful access, each host and service behind the VPN headend would still require extra credentials.”

The following versions of Secure Client for Windows, Linux, and macOS have been updated to resolve the vulnerability:

1. Earlier than 4.10.04065 (not vulnerable)
2. 4.10.04065 and later (fixed in 4.10.08025)
3. 5.0 (migrate to a fixed release)
4. 5.1 (fixed in 5.1.2.42)

The vulnerability was found and reported by Amazon security researcher Paulos Yibelo Mesfin, who told The Hacker News that it lets attackers access internal networks when a target visits a website they control.

Additionally, Cisco has released solutions for CVE-2024-20338 (CVSS Score: 7.3), a high-severity vulnerability in Secure Client for Linux that might allow a local, authenticated attacker to escalate privileges on a device that is compromised. The fix is included in version 5.1.2.42.

“An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process. A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges,” it said.