Vulnerability management: is patching enough?

A great example popped up today regarding truly effective vulnerability management. Many businesses have automated patching tools, and some may be under the impression that by having a solution like that in place, everything is covered. Here is a great example as to why that is not the case.

Cisco’s AnyConnect VPN is used by many businesses throughout the world. As of late, there have been several new releases for the client modules due to vulnerabilities that are fixed or due to new operating systems without support for older versions of the client.

A recent Cisco advisory shows that version 4.9.04053 (which is the most recent version of the client package) is susceptible to arbitrary code execution. See Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability. In the advisory summary, Cisco states “Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability.”

The ‘workarounds’ are where patch management falls off. Currently, there is no updated piece of software that will fix this vulnerability which is rated ‘High’ severity. Further in the document, the workaround requires that an XML configuration file must be modified to mitigate the vulnerability:

  1. Find the AnyConnectLocalPolicy.xml file on the client machine. This file can be found at the following locations:
    1. Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
    2. macOS:/opt/cisco/anyconnect/
    3. Linux:/opt/cisco/anyconnect/
  2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines: <RestrictScriptWebDeploy>false</RestrictScriptWebDeploy><RestrictHelpWebDeploy>false</RestrictHelpWebDeploy><RestrictResourceWebDeploy>false</RestrictResourceWebDeploy><RestrictLocalizationWebDeploy>false</RestrictLocalizationWebDeploy>
  3. Change that setting to true, as shown in the following example: <RestrictScriptWebDeploy>true</RestrictScriptWebDeploy><RestrictHelpWebDeploy>true</RestrictHelpWebDeploy><RestrictResourceWebDeploy>true</RestrictResourceWebDeploy><RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
  4. Verify that the BypassDownloader setting is correct by looking for the following line: <BypassDownloader>false<BypassDownloader>
  5. If the BypassDownloader setting is true, change it to false, as shown in the following example: <BypassDownloader>false<BypassDownloader>
  6. Save the file to the original location. The network paths are noted above.
  7. Restart the VPN Agent service or reboot the client machine.

Consider that this is one tiny piece of software among hundreds in use by the average organization. Iterate through this example for an entire environment, and one can see how having the right tools and processes in place is critical to effectively implementing a continuous vulnerability management solution.