CVE-2024-20337: 
Cisco AnyConnect Secure Client vulnerability analysis and mitigation

A vulnerability (CVE-2024-20337) was discovered in the SAML authentication process of Cisco Secure Client, affecting Windows, Linux, and macOS versions. The flaw, disclosed on March 6, 2024, allows an unauthenticated remote attacker to conduct a carriage return line feed (CRLF) injection attack against users. The vulnerability received a CVSS score of 8.2 (High) and was reported by Paulos Yibelo Mesfin of Amazon Security (Cisco Advisory, SecurityWeek).

The vulnerability stems from insufficient validation of user-supplied input in the SAML authentication process. It specifically affects Cisco Secure Client installations where the VPN headend is configured with the SAML External Browser feature. The vulnerability is tracked as CWE-93 (Improper Neutralization of CRLF Sequences) and has a CVSS v3.1 base score of 8.2 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (Cisco Advisory).

A successful exploitation could allow attackers to execute arbitrary script code in the browser or access sensitive browser-based information, including valid SAML tokens. Using these tokens, attackers could establish remote access VPN sessions with the privileges of affected users. However, access to individual hosts and services behind the VPN headend would still require additional credentials (HelpNet Security, Hacker News).

Cisco has released software updates to address the vulnerability. Fixed versions include 4.10.08025 for the 4.10.x series and 5.1.2.42 for the 5.1.x series. Versions prior to 4.10.04065 are not vulnerable, and users of version 5.0 are advised to migrate to a fixed release. No workarounds are available for this vulnerability (Cisco Advisory).