CVE-2023-20241

Summary

Multiple vulnerabilities in Cisco Secure Client Software, formerly AnyConnect Secure Mobility Client, could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected system. These vulnerabilities are due to an out-of-bounds memory read from Cisco Secure Client Software. An attacker could exploit these vulnerabilities by logging in to an affected device at the same time that another user is accessing Cisco Secure Client on the same system, and then sending crafted packets to a port on that local host. A successful exploit could allow the attacker to crash the VPN Agent service, causing it to be unavailable to all users of the system. To exploit these vulnerabilities, the attacker must have valid credentials on a multi-user system.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Client4.9.00086affected
CiscoCisco Secure Client4.9.01095affected
CiscoCisco Secure Client4.9.02028affected
CiscoCisco Secure Client4.9.03047affected
CiscoCisco Secure Client4.9.03049affected
CiscoCisco Secure Client4.9.04043affected
CiscoCisco Secure Client4.9.04053affected
CiscoCisco Secure Client4.9.05042affected
CiscoCisco Secure Client4.9.06037affected
CiscoCisco Secure Client4.10.00093affected
CiscoCisco Secure Client4.10.01075affected
CiscoCisco Secure Client4.10.02086affected
CiscoCisco Secure Client4.10.03104affected
CiscoCisco Secure Client4.10.04065affected
CiscoCisco Secure Client4.10.04071affected
CiscoCisco Secure Client4.10.05085affected
CiscoCisco Secure Client4.10.05095affected
CiscoCisco Secure Client4.10.05111affected
CiscoCisco Secure Client4.10.06079affected
CiscoCisco Secure Client4.10.06090affected
CiscoCisco Secure Client4.10.07061affected
CiscoCisco Secure Client4.10.07062affected
CiscoCisco Secure Client4.10.07073affected
CiscoCisco Secure Client5.0.00238affected
CiscoCisco Secure Client5.0.00529affected
CiscoCisco Secure Client5.0.00556affected
CiscoCisco Secure Client5.0.01242affected
CiscoCisco Secure Client5.0.02075affected
CiscoCisco Secure Client5.0.03072affected
CiscoCisco Secure Client5.0.03076affected
CiscoCisco Secure Client5.0.04032affected

Weaknesses

  • CWE-125: Out-of-bounds Read

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References