Cisco has released security updates for a vulnerability affecting its Secure Client software. Successful exploitation could allow threat actors to steal a targeted user’s token and establish a virtual private network (VPN) session. The vulnerability tracked as CVE-2024-20337 has a CVSS score of 8.2, which is considered high risk. Organizations running the vulnerable versions (listed below in this Cybersecurity Threat Advisory) are encouraged to apply the latest patch immediately.
What is the threat?
This high-severity flaw can lead to a carriage return line feed (CRLF) injection attack. This attack type allows for code execution and unauthorized remote access to VPN sessions. Since user-supplied input is insufficiently validated, attackers can trick users into clicking a crafted link while establishing a VPN session, which would then execute arbitrary scripts in the victim’s browser or access sensitive information.
Why is it noteworthy?
This vulnerability affects the Cisco Secure Client for Windows, Linux, and macOS. A successful exploit could allow the attacker to execute arbitrary script code on the browser or access sensitive, browser-based information, including a valid Security Assertion Markup Language (SAML) token.
What is the exposure or risk?
Once an attacker gains access to the SAML tokens, they can then be used to establish remote access VPN sessions with the affected user’s privilege to access local internal networks when a victim visits a website under their control. Cisco did mention that in the case where an attacker is attempting to reach individual hosts and services behind the VPN headend, they are required to have additional credentials before successful access is granted.
What are the recommendations?
Barracuda MSP recommends the following actions to mitigate the effects of CVE-2024-20337:
- Determine whether the VPN headend is configured to use the SAML External Browser Feature by using the show running-config tunnel-group command in the Cisco ASA or FTD CLI. The displayed results will indicate if the SAML External Browser feature is enabled.
- To make sure their endpoints are secure, IT teams should update their software accordingly based on the version information below:
| Cisco Secure Client Release | First Fixed Release |
| Earlier than 4.10.04065 | Not vulnerable. |
| 4.10.04065 and later | 4.10.08025 |
| 5.0 | Migrate to a fixed release. |
| 5.1 | 5.1.2.42 |
References
For more in-depth information on the recommendations, please visit the following links:
- Cisco Secure Client Carriage Return Line Feed Injection Vulnerability
- Cisco tells Secure Client users to patch immediately or risk VPN security flaw | TechRadar
- Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client (thehackernews.com)
- Cisco Patches High-Severity Vulnerabilities in VPN Product – SecurityWeek
If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
