cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3868
Views
12
Helpful
20
Replies

Cisco Secure Client CVE-2024-20337

ansto
Level 1
Level 1

Following upgrading to upgrading to 5.1.2.42 to fix the vulnerability CVE-2024-20337

Within Microsoft Defender this is still flagged as vulnerability for the CVE

It appears to refer to a component of the install:

C:\Program Files (x86)\Cisco\Cisco Secure Client\acsocktool.exe\acsocktool.exe

Cisco secure Client Socket Filter Tool v5.1.2.22

Question is if this version is covers the vulnerability why is a component still being flagged as a vulnerability?

Thanks

 

20 Replies 20

ITSDigital
Level 1
Level 1

Also seeing this which is killing our secure score.

According to this Stack Overflow article it's for "DNS proxying. App/transparent proxying. Content filtering".

I've removed the EXE from my system and Secure Client still works in our setup as we do not use that functionality of AnyConnect/Secure Client.

Hopefully Cisco will release a new update and/or Microsoft will revaluate the vulnerability.

Gopinath_Pigili
Spotlight
Spotlight

Hello ansto,

I think...Cisco has released software updates (free) that address this vulnerability. There are no workarounds that address this vulnerability.

For more details....Please go through the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

Best regards
******* If This Helps, Please Rate *******

 

ITSDigital
Level 1
Level 1

Hi Gopinath,

The fixed releases section in the link you provided refers to the software we have already installed: 5.1.2.42 (cisco-secure-client-win-5.1.2.42-predeploy-k9)

v5.1.2.42 bundles a component (Cisco secure Client Socket Filter Tool ) which has a version number of v5.1.2.22 - which is from the previous vulnerable release.

 

Is Windows Defender specifically flagging C:\Program Files (x86)\Cisco\Cisco Secure Client\acsocktool.exe\acsocktool.exe as vulnerable?

ansto
Level 1
Level 1

Yep, showing as weakness due to versioning.

 

 

ansto_1-1713883074754.png

ansto_2-1713883137552.png

 

 

 

I don't think the acsocktool.exe would have nothing to do with SAML authentication which is the focus of CVE-2024-20337.  It seems as though Windows Defender is simply looking at the version numbers and determining a vulnerability.  

Thanks - reported in two tenants:

ITSDigital_0-1713947492927.png

 

ITSDigital
Level 1
Level 1

Hi stsargen,

We can report this is an inaccuracy to Microsoft, if you are sure that this component is not vulnerable. 
Agreed based on description it shouldn't, but we don't have source code or vuln tests to confirm.

Yep that would be helpful as affecting the exposure score within defender.

I have confirmed that this has nothing to do with SAML authentication.  Please report to Microsoft as a false positive.

Ltorres1
Level 1
Level 1

There seems to be a newer version for the Secure client:
5.1.3.62
can anyone see if updating make the vulnerability go away from the ATP console?

The vulnerability is still there after updating to 5.1.3.62 so it's been reported as a false positive.

stsargen
Cisco Employee
Cisco Employee

The version of the file has not changed in the AnyConnect package.  It will not change unless a code change is needed in that specific file.  

Can confirm my reports didn't change anything. The inertia needed to get MS to change this, as @mcoombe said, might require Cisco's input?