CVE-2023-20240: 
Cisco AnyConnect Secure Client vulnerability analysis and mitigation

Multiple vulnerabilities in Cisco Secure Client Software (formerly AnyConnect Secure Mobility Client) were identified under CVE-2023-20240. The vulnerability was discovered and disclosed on November 15, 2023. This security flaw affects various versions of Cisco Secure Client Software, including AnyConnect for Android, iOS, Universal Windows Platform, Linux, and MacOS (Cisco Advisory).

The vulnerability is classified as an out-of-bounds memory read (CWE-125) in Cisco Secure Client Software. It has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

A successful exploitation of this vulnerability could allow an attacker to crash the VPN Agent service, resulting in a denial of service (DoS) condition that affects all users of the system. The service becomes unavailable to all users when exploited (Cisco Advisory).

Cisco has released software updates to address this vulnerability. For version 4.10 and earlier, the fix is available in release 4.10 MR8 (December 2023). For version 5.0, the fix is available in release 5.0 MR4 (5.0.04032). Version 5.1 is not vulnerable to this issue. There are no workarounds available for this vulnerability (Cisco Advisory).