On March 14, 2018, Cisco released a security advisory for the Cisco AnyConnect Secure Mobility Client. Cisco reported that a malicious DHCP server could be used to create a situation where a client would accept and execute arbitrary code on the client operating system. Cisco provided the following example of how a malicious DHCP server could be used to exploit this vulnerability: On a client without the Cisco AnyConnect Secure Mobility Client installed, a user connects to an attacker-controlled network through a malicious access gateway and receives an AnyConnect prompt. This prompt could be a warning that the user connects to a malicious network, or it could be a certificate warning that the user connects to a malicious network. The user accepts the prompt and the AnyConnect Secure Mobility Client creates an encrypted tunnel between the client and the access gateway. The access gateway sends an AnyConnect prompt. The user again accepts the AnyConnect prompt and the client creates an encrypted tunnel between the client and the remote server. The server then sends a request to the DHCP server for a lease on IP address. The DHCP server then sends an AnyConnect prompt to the client. The client accepts the AnyConnect prompt, creating an encrypted tunnel between the client and the server. The server now has an IP address, which it can now use to attack other clients through the use of a MITM

DNS hijacking

If you want to know more about DNS hijacking, you can check this article out.

https://www.cisco.com/c/en/us/support/docs/security-vulnerability-policy/vulnerability-disclosure-and-responsibility/#1162

At the very least, if you're going to run a business online, it's important to learn what types of threats like these are out there and how you can keep your customers safe from them. It's also important to implement security measures so that your company isn't vulnerable to these kinds of attacks in the first place.

Standard disclaimer

To be clear, the Cisco advisory includes a malicious DHCP server as one way to exploit the vulnerability. In particular, an attacker could use a malicious DHCP server to create a situation where a client would receive and execute arbitrary code on the client operating system.

Mitigations for the CVE-2022-37980

On March 14, 2018, Cisco released a security advisory for the Cisco AnyConnect Secure Mobility Client. Cisco reported that a malicious DHCP server could be used to create a situation where a client would accept and execute arbitrary code on the client operating system. Cisco provided the following example of how a malicious DHCP server could be used to exploit this vulnerability: On a client without the Cisco AnyConnect Secure Mobility Client installed, a user connects to an attacker-controlled network through a malicious access gateway and receives an AnyConnect prompt. This prompt could be a warning that the user connects to a malicious network, or it could be a certificate warning that the user connects to a malicious network. The user accepts the prompt and the AnyConnect Secure Mobility Client creates an encrypted tunnel between the client and the access gateway. The access gateway sends an AnyConnect prompt. The user again accepts the AnyConnect prompt and the client creates an encrypted tunnel between the client and the remote server. The server then sends a request to the DHCP server for a lease on IP address. The DHCP server then sends an AnyConnect prompt to the client. The client accepts the AnyContac prompted, creating an encrypted tunnel between the client and the server. The server now has an IP address, which it can now use to attack other clients throughthe use of a MitM

Summary of Cisco AnyConnect Secure Mobility Client Vulnerability

On March 14, 2018, Cisco released a security advisory for the Cisco AnyConnect Secure Mobility Client. Cisco reported that a malicious DHCP server could be used to create a situation where a client would accept and execute arbitrary code on the client operating system. The vulnerability is tracked as CVE-2022-37980.
In the advisory, Cisco stated the following about this vulnerability:

Cisco was notified of this vulnerability by Rapid7.
Cisco confirmed that there are no workarounds for this vulnerability in current versions of AnyConnect.
Cisco confirmed that this vulnerability does not affect AnyConnect Secure Mobility Client versions prior to 3.1.0.2 (3.1 being the latest version).

How do I know if I am affected?

Cisco published a list of IP addresses that would trigger this vulnerability.
You can also check the version numbers for Microsoft Windows or Mac OS X to see if they are on the latest release. If they are not, we recommend updating them and disabling IPv6 until Cisco provides an update with a resolution.

Timeline

Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/11/2022 19:16:00 UTC

References