CVE-2023-20178: 
Cisco AnyConnect Secure Client vulnerability analysis and mitigation

CVE-2023-20178 is a high-severity vulnerability (CVSS score: 7.8) affecting Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. The vulnerability was discovered by Filip Dragovic and disclosed on June 7, 2023. It affects multiple versions of the software, including versions up to (excluding) 4.10.07061 for AnyConnect and versions up to (excluding) 5.0.02075 for Secure Client (Cisco Advisory).

The vulnerability exists in the client update process that executes after a successful VPN connection is established. When a user connects to VPN, the vpndownloader.exe process starts in the background and creates a directory in c:\windows\temp with default permissions. The vulnerability stems from improper permissions being assigned to this temporary directory during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process (Cisco Advisory, HelpNet Security).

A successful exploitation of this vulnerability allows a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. This means an attacker could execute code with SYSTEM privileges, effectively gaining complete control over the affected system (Cisco Advisory).

Cisco has released software updates that address this vulnerability. Users should upgrade to either AnyConnect Secure Mobility Client for Windows 4.10MR7 (4.10.07061) or Cisco Secure Client Software for Windows 5.0MR2 (5.0.02075). There are no workarounds available for this vulnerability (Cisco Advisory).