Missing Authentication for Critical Function in Cisco Secure Client for Windows



Published: 2024-05-16
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-20391
CWE-ID CWE-306
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Cisco Secure Client for Windows
Other software / Other software solutions

Vendor

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Missing Authentication for Critical Function

EUVDB-ID: #VU89589

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20391

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass authentication process.

The vulnerability exists due to a lack of authentication on a specific function in the Network Access Manager (NAM) module. An attacker with physical access can execute arbitrary code with SYSTEM privileges on the target device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Secure Client for Windows: before 5.1.3.62

CPE2.3
External links

http://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-nam-priv-esc-szu2vYpZ


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###