The Indian Computer Emergency Response Team (CERT-In) has cautioned citizens about vulnerabilities in AnyConnect, a commercial VPN client from Cisco that can allow hackers to gain access to a system.
According to Cisco's website, the VPN is widely used in IT services, including in India. Reviews from customers on the website show that AnyConnect's clients include Capgemini and others.
"It is reported that vulnerabilities in Cisco AnyConnect Secure Mobility Client for Windows are being exploited in the wild by threat actors," read the CERT-In advisory published on October 28.
According to the agency, these vulnerabilities allow attackers to execute code in the targeted system or copy malicious files to key system directories.
Dual vulnerability
Two vulnerabilities exist in Cisco AnyConnect. The CERT-In termed the first vulnerability as DLL Hijacking Vulnerability.
The vulnerability exists in AnyConnect's interprocess communication channel in this case. An interprocess communication channel is a mechanism that allows processes to communicate with one another and synchronise their actions.
"An attacker with valid access credentials on the system could exploit this vulnerability by sending a specially crafted interprocess message to the AnyConnect process," the advisory read.
An attacker can then execute arbitrary code on the system.
The second vulnerability is called Uncontrolled Search Path Vulnerability.
"This vulnerability exists in the installer component of Anyconnect for Windows due to an error while handling directory paths," the advisory read.
Similar to the first vulnerability, this vulnerability can be exploited by creating malicious files and copying them to the system directory.
"It is to be noted that these vulnerabilities are being exploited in the wild. An attacker could exploit these vulnerabilities in conjunction with other Windows privilege escalation flaws to conduct further attacks on the target system," the CERT-In added.
To mitigate these vulnerabilities, the agency urged users to apply the updates available on Cisco's website.
Earlier in June, Malaysia-based DragonForceIO targeted two Indian corporate VPNs and websites of Mumbai University and Thane city police. This was in response to comments against Prophet Mohammad.
Cybernetyx VPN and Logixal VPN were allegedly compromised by hackers. They also shared login credentials with designated IP addresses associated with the two corporate VPNs. In addition, they provided screenshots to corroborate their claims.
Later Logixal, which provides e-banking solutions, clarified to Moneycontrol that customer data was not affected due to the breach and that they were conducting further investigation.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
