Re: Cisco Secure Client CVE-2024-20337

ansto · ‎04-17-2024

Following upgrading to upgrading to 5.1.2.42 to fix the vulnerability CVE-2024-20337

Within Microsoft Defender this is still flagged as vulnerability for the CVE

It appears to refer to a component of the install:

C:\Program Files (x86)\Cisco\Cisco Secure Client\acsocktool.exe\acsocktool.exe

Cisco secure Client Socket Filter Tool v5.1.2.22

Question is if this version is covers the vulnerability why is a component still being flagged as a vulnerability?

Thanks

ITSDigital · ‎04-23-2024

Also seeing this which is killing our secure score.

According to this Stack Overflow article it's for "DNS proxying. App/transparent proxying. Content filtering".

I've removed the EXE from my system and Secure Client still works in our setup as we do not use that functionality of AnyConnect/Secure Client.

Hopefully Cisco will release a new update and/or Microsoft will revaluate the vulnerability.

Gopinath_Pigili · ‎04-23-2024

Hello ansto,

I think...Cisco has released software updates (free) that address this vulnerability. There are no workarounds that address this vulnerability.

For more details....Please go through the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

Best regards
******* If This Helps, Please Rate *******

ITSDigital · ‎04-23-2024

Hi Gopinath,

The fixed releases section in the link you provided refers to the software we have already installed: 5.1.2.42 (cisco-secure-client-win-5.1.2.42-predeploy-k9)

v5.1.2.42 bundles a component (Cisco secure Client Socket Filter Tool ) which has a version number of v5.1.2.22 - which is from the previous vulnerable release.

stsargen · ‎04-23-2024

Is Windows Defender specifically flagging C:\Program Files (x86)\Cisco\Cisco Secure Client\acsocktool.exe\acsocktool.exe as vulnerable?

ansto · ‎04-23-2024

Yep, showing as weakness due to versioning.

stsargen · ‎04-23-2024

I don't think the acsocktool.exe would have nothing to do with SAML authentication which is the focus of CVE-2024-20337. It seems as though Windows Defender is simply looking at the version numbers and determining a vulnerability.

ITSDigital · ‎04-24-2024

Thanks - reported in two tenants:

ITSDigital · ‎04-24-2024

Hi stsargen,

We can report this is an inaccuracy to Microsoft, if you are sure that this component is not vulnerable.
Agreed based on description it shouldn't, but we don't have source code or vuln tests to confirm.

ansto · ‎04-24-2024

Yep that would be helpful as affecting the exposure score within defender.

stsargen · ‎04-24-2024

I have confirmed that this has nothing to do with SAML authentication. Please report to Microsoft as a false positive.

Ltorres1 · ‎04-29-2024

There seems to be a newer version for the Secure client:
5.1.3.62
can anyone see if updating make the vulnerability go away from the ATP console?

Ken_N · ‎04-30-2024

The vulnerability is still there after updating to 5.1.3.62 so it's been reported as a false positive.

stsargen · ‎04-29-2024

The version of the file has not changed in the AnyConnect package. It will not change unless a code change is needed in that specific file.

ITSDigital · ‎05-07-2024

Can confirm my reports didn't change anything. The inertia needed to get MS to change this, as @mcoombe said, might require Cisco's input?