back to article Cisco AnyConnect Windows client under active attack

Cisco says miscreants are exploiting two vulnerabilities in its AnyConnect Secure Mobility Client for Windows, which is supposed to ensure safe VPN access for remote workers. One of the pair of flaws, tracked as CVE-2020-3433, is a privilege-escalation issue: an authenticated, local user can exploit AnyConnect to execute code …

  1. Anonymous Coward
    Anonymous Coward

    Not being snarky, what is the advantage of using Anyconnect over the built-in VPN client in Windows? More logging, or authentication mechanisms?

    1. Anonymous Coward
      Anonymous Coward

      Been a while, but I thought Windows didn’t support IPsec natively. Anyway, I use either the Microsoft Store version of AnyConnect (which just seems to add IPSec extensions to the Windows VPN infrastructure) or, mostly, openconnect, which just works on Mac or Linux (and Windows, I’m told).

      1. MrReynolds2U

        On Win10 or 11 you've got SSTP, PPTP, IKE2 (IPSec) along with good-old L2TP/IPSec (PSK\Cert) and I'm pretty sure Win7 had the same options and they were available on all editions.

        For more advanced options, if you want to direct specific traffic down different tunnels, then it can be done but requires a little fiddling.

        Win VPN doesn't support MFA yet which you may get with VPN clients from firewall vendors and they also may have better methods of sharing PSKs and credentials.

        I personally don't really understand why people use 3rd party VPN clients on Windows so if anyone has a decent reason, please share it.

        1. Anonymous Coward
          Anonymous Coward

          https://vpncentral.com/cisco-vpn-client-windows-10-alternative/

          Windows VPN certainly seems lacking for my organisation.

    2. doublelayer Silver badge

      I've used it (not chosen it), and in that case, the advantage was multi-factor authentication with hardware tokens which was mandatory for access to networks with sensitive systems. I think the native client doesn't support this, and in any case would have required more manual configuration as we were using a lot of different OSes (they also had a bunch of infrastructure for using Linux boxes with the same authentication systems). You could probably implement that behavior using a number of options for clients, but you're adding something in all cases.

    3. J. Cook Silver badge
      Boffin

      Authentication mechanisms, IIRC.

      And if you are a cisco shop using a cisco firewall as the corporate VPN endpoint, it makes slightly more sense to use something that is guaranteed to work instead of having to fettle about with settings and the possibility of having to contact two different vendors for support.

    4. Rockets

      For us there's a few reasons. First is being able to use the VPN over a TLS or DTLS transport which is far friendlier for hotel environments. Secondly it's consistent across multiple OS's Windows, MacOS, Linux and Mobile devices. Thirdly the authentication mechanisms are extremely flexible, I can have certificate authentication for corporate devices, username & password with 2FA for contractors. Lastly on the headend we can have dynamic access policies to allow traffic based on the connection profile & authorization of the user from RADIUS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like