Appalling AnyConnect Security Flaw Allowing Covert Monitoring

JustAnotherNetworkGuy · ‎07-26-2023

Like many of us, I work for a corporation that uses AnyConnect for remote access to the company's network. I also use various VPN clients, including AnyConnect, to connect to multiple third-party networks. Recently I discovered that DNS requests from my corporate owned PC were being surreptitiously redirected and monitored for quite some time by a third party that had used AnyConnect to stealthily install the Umbrella Roaming Security Module on my PC while connecting to their VPN with AnyConnect. The module sets itself up as an agent of the 3rd party and reports back DNS requests to the 3rd party's Umbrella dashboard for viewing, whether or not the AnyConnect VPN client is connected to the 3rd party's VPN server. Obviously DNS is usually redirected while connected to a VPN server, but to have DNS permanently redirected without your knowledge and have your machine setup as a monitored agent sounds like malware.

When I discovered this, I immediately opened a TAC case and requested a security advisory be issues. To my surprise, I had these 3 support engineers immediately shrug this off:

Bozhidar Petkov

Onur Fahredin

Miroslav Vasilev

As the Cyber Security Director of a corporation, would you find this acceptable? So, just by having the AnyConnect installed on your employees' computers, if they were to connect to a 3rd party AnyConnect VPN server, that 3rd party would be able to covertly take control and monitor DNS requests from your employees' devices without you or the user knowing

As an employee of a company, or as an individual, would you find it acceptable that after using a VPN client to connect to a 3rd party that you support, that just by using Cisco AnyConnect VPN client, they can surreptitiously install this module without warning to you and permanently watch your DNS requests? What if this customer is in China, Russia, or Iran?

Along with asking that they open the security advisory, I suggested two easy fixes to Cisco:

Warn the user of permanent DNS redirection, monitoring, and control before the Umbrella Roaming Security Module is installed.
When the AnyConnect VPN client is deployed on corporate owned devices, have a policy available to not allow modules such as the Umbrella Roaming Security Module to be permanently installed by 3rd party AnyConnect VPN servers.

Again, I was completely blown off by Cisco.

If you Google "malware AnyConnect Umbrella", the first search result other than Cisco's own is someone else reporting it as malware. You will have to view the cached page by clicking the 3 dots next to the link in Google since the site currently has an SSL cert issue.

tvotna · ‎07-31-2023

@JustAnotherNetworkGuy, Thank you for letting us know about this issue. In general, you can skip TAC step in situations like this and contact psirt@cisco.com directly via email. Otherwise, if you go via TAC, the route may look like this: 1) TAC case (push back from TAC initially); 2) hopefully TAC will open a bug; 3) developer will be assigned (push back from dev team, the bug might be reclassified to enhancement); 4) PSIRT might be eventually involved and bug marked for PSIRT evaluation; 5) PSIRT will make final decision.

AnyConnect has mechanism to prevent software installation from untrusted headends, not sure if this option helps in case of Umbrella. There is an option in AnyConnect local policy file:

<UpdatePolicy>
<AllowSoftwareUpdatesFromAnyServer>false</AllowSoftwareUpdatesFromAnyServer>
<AuthorizedServerList>
<ServerName>my.example.com</ServerName>
</AuthorizedServerList>
</UpdatePolicy>

Also, not sure if this mechanism is flexible enough, e.g. don't know if separate headends can be specified for different restrictions (e.g. software updates vs profile updates, etc.).