Networking giant Cisco has fixed a serious bug in one of its software products, which can be used to open a VPN session with a target endpoint.
The flaw was found in Secure Client and is described as a ‘carriage return line feed injection vulnerability’.
It is tracked as CVE-2024-20337, has a severity score of 8.2, and allows an unauthenticated threat actor to remotely perform a Carriage Return Line Feed (CRLF) injection on the target endpoint.
A plaster is available
“A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information including a valid SAML token,” the company said in an advisory. “The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still require additional credentials for successful access.”
The HackerNews explained that the vulnerability stemmed from insufficient validation of user-supplied input. Hackers could use the flaw to trick potential victims into clicking a customized link while establishing a VPN session. The researcher who discovered the flaw, Amazon’s Paulos Yibelo Mesfin, told the publication that threat actors could exploit this flaw to gain access to their targets’ local internal networks. All victims have to do is visit a website controlled by the attackers.
To ensure their endpoints are secure, IT teams should update their software to these versions:
Earlier than 4.10.04065 (not vulnerable)
4.10.04065 and later (resolved in 4.10.08025)
5.0 (migrate to a fixed release)
5.1 (fixed in 5.1.2.42)
Virtual Private Network (VPN) solutions are an indispensable part of any organization’s tech stack and are therefore often targeted by threat actors. Recently, Ivanti’s VPN solution came under fire after discovering multiple high-severity vulnerabilities that were massively exploited to steal sensitive data, engage in espionage and deploy malware and ransomware.