"A successful exploit could allow the attacker to execute arbitrary code on the affected machine with System privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system." Users running Cisco AnyConnect Secure Mobility Client for Windows releases 4.9.00086 and later are not vulnerable.
This bug doesn't affect the AnyConnect client for jobs with computer science degree, Linux, or the client for iOS, Android, and the Universal Windows Platform. Cisco has given CVE-2020-3433 a severity score of 7.8. Cisco lists a further 15 medium-severity flaws on the company's security advisories page.
The vulnerability is caused by a glitch in the way Cisco's software handles Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. Remote attackers could exploit the flaw by sending specially crafted HTTP requests to the device.
No comments:
Post a Comment