CVE-2024-20474
📋 TL;DR
An integer underflow vulnerability in IKEv2 processing in Cisco Secure Client (formerly AnyConnect) allows unauthenticated remote attackers to crash the client via crafted packets, causing a denial of service. This affects users of Cisco Secure Client software versions 4.10 and earlier. The impact is limited to client-side DoS, not server compromise.
💻 Affected Systems
- Cisco Secure Client
- Cisco AnyConnect Secure Mobility Client
📦 What is this software?
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
Anyconnect Secure Mobility Client by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker causes persistent client crashes, disrupting VPN connectivity for affected users until client is restarted or patched.
Likely Case
Intermittent client crashes leading to temporary VPN disconnections for targeted users.
If Mitigated
Minimal impact if patched promptly; unpatched clients may experience brief outages but no data loss or system compromise.
🎯 Exploit Status
Exploitation requires sending crafted IKEv2 packets, which is straightforward but may require network access to the client.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.11 or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csc-dos-XvPhM3bj
Restart Required: Yes
Instructions:
1. Download Cisco Secure Client version 4.11 or later from Cisco's software download center. 2. Install the update on all affected endpoints. 3. Restart the client or system as prompted.
🔧 Temporary Workarounds
Disable IKEv2
allConfigure Cisco Secure Client to use SSL/TLS instead of IKEv2 for VPN connections to avoid the vulnerable protocol.
Not applicable; configure via Cisco Secure Client GUI or group policy.
🧯 If You Can't Patch
- Block inbound IKEv2 packets (UDP port 500 and 4500) at network firewalls to prevent remote exploitation.
- Monitor for client crashes and alert on unusual IKEv2 traffic patterns to detect potential attacks.
🔍 How to Verify
Check if Vulnerable:
Check the Cisco Secure Client version via GUI (Help > About) or command line; versions 4.10 or earlier are vulnerable.Check Version:
On Windows: "C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe" -v or check GUI. On macOS/Linux: run the vpncli command with -v flag.Verify Fix Applied:
Confirm version is 4.11 or later after patching and test VPN connectivity with IKEv2.📡 Detection & Monitoring
Log Indicators:
- Log entries indicating Cisco Secure Client crashes or unexpected terminations in system/application logs.
Network Indicators:
- Unusual IKEv2 packet spikes or malformed packets on UDP ports 500/4500 directed at clients.
SIEM Query:
Example: search for 'Cisco Secure Client' AND ('crash' OR 'error') in endpoint logs within last 24 hours.