CVE-2024-20474: 
Cisco AnyConnect Secure Client vulnerability analysis and mitigation

A vulnerability in Internet Key Exchange version 2 (IKEv2) processing of Cisco Secure Client Software was discovered, tracked as CVE-2024-20474. The vulnerability affects Cisco Secure Client Software (formerly known as Cisco AnyConnect Secure Mobility Client for versions 4.10 and earlier). This security flaw allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to an integer underflow condition (Cisco Advisory).

The vulnerability stems from an integer underflow condition in the IKEv2 processing component of Cisco Secure Client Software. The CVSS v3.1 base score is 6.5 (Medium), with attack vector being Network, attack complexity Low, requiring no privileges, but necessitating user interaction. The vulnerability has been assigned CWE-191 (Integer Underflow) classification (NVD).

A successful exploitation of this vulnerability results in a denial of service (DoS) condition, causing the Cisco Secure Client Software to crash. This affects the availability of the client software, potentially disrupting secure network connections for affected users (Cisco Advisory).

Cisco has released software updates that address this vulnerability. The fixed version is Cisco Secure Client Software 5.1.4.74. There are no workarounds available for this vulnerability. Note that Cisco AnyConnect Secure Mobility Client Release 4.x reached end of life as of March 31, 2024 (Cisco Advisory).

The vulnerability was reported to Cisco by the U.S. National Security Agency (NSA). At the time of disclosure, Cisco PSIRT was not aware of any public announcements or malicious use of the vulnerability (Cisco Advisory).