CVE-2023-20241: 
Cisco AnyConnect Secure Client vulnerability analysis and mitigation

Multiple vulnerabilities in Cisco Secure Client Software (formerly AnyConnect Secure Mobility Client) were identified under CVE-2023-20241. This vulnerability was disclosed on November 15, 2023, affecting various versions of Cisco Secure Client and AnyConnect products. The vulnerability is characterized as an out-of-bounds memory read issue that could allow an authenticated, local attacker to cause a denial of service (DoS) condition (Cisco Advisory).

The vulnerability is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 5.5 (Medium), and vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability specifically affects the VPN Agent service component of the software (NVD).

A successful exploitation of this vulnerability could allow an attacker to crash the VPN Agent service, making it unavailable to all users of the system. This results in a denial of service condition affecting the entire system's VPN functionality (Cisco Advisory).

Cisco has released software updates to address this vulnerability. For version 4.10 and earlier, the fix is available in release 4.10 MR8 (December 2023). For version 5.0, the fix is available in release 5.0 MR5 (5.0.05040). Version 5.1 is not vulnerable to this issue. There are no workarounds available for this vulnerability (Cisco Advisory).