CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-20337

Medium Severity
SVRS
30/100
CVSSv3
NA/10
EPSS
0.03341/1

CVE-2024-20337: A CRLF injection vulnerability in Cisco Secure Client's SAML authentication. This flaw allows remote, unauthenticated attackers to inject code by tricking users into clicking a malicious link during VPN setup. Successful exploitation leads to arbitrary script execution and access to sensitive data, like SAML tokens. An attacker could leverage stolen tokens to establish a remote access VPN session. While host and service access requires further credentials, the initial VPN access poses a significant security risk. Given an SVRS of 30, it is still vital to monitor this vulnerability, especially with reported active exploits, although it is not considered immediately critical, mitigation efforts are advisable to prevent potential exploitation. The vulnerability stems from inadequate input validation during the SAML process.

TAGS
In The Wild
Exploit Avaliable
VECTOR STRING
PUBLICATION DATE2024-03-06
LAST MODIFIED2024-03-07
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-20337 is a vulnerability in the SAML authentication process of Cisco Secure Client that could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user-supplied input.

Key Insights

  • The SVRS of 38 indicates a moderate risk, but the vulnerability is actively exploited in the wild, making it a critical threat.
  • The vulnerability allows attackers to execute arbitrary script code in the browser or access sensitive information, including a valid SAML token.
  • The attacker could use the token to establish a remote access VPN session with the privileges of the affected user.

Mitigation Strategies

  • Update Cisco Secure Client to the latest version.
  • Implement strong input validation mechanisms to prevent CRLF injection attacks.
  • Use a web application firewall (WAF) to block malicious requests.
  • Educate users about the risks of clicking on untrusted links.

Additional Information

  • Threat Actors/APT Groups: Not specified
  • Exploit Status: Active exploits have been published
  • CISA Warnings: Not specified
  • In The Wild: Yes

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
swagcraftedd/CVE-2024-20337-POChttps://github.com/swagcraftedd/CVE-2024-20337-POC2024-03-10
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

1.749
2024-10-02
1.749 | Newly Added (2)OpenSSL CVE-2024-5535 Information Disclosure VulnerabilityCisco Secure Client CVE-2024-20337 CRLF Injection VulnerabilityModified (11)TeamViewer CVE-2018-16550 Vulnerability<
fortiguard.com
rss
forum
news
Must Read - Security Affairs
2023-08-27
Must Read - Security Affairs | News Content: Google fixes fifth actively exploited Chrome zero-day this year Since the start of the year, Google released an update to fix the fifth actively exploited zero-day vulnerability in the Chrome browser. Google this week released security updates to address a zero-day flaw, tracked as CVE-2024-467, in Chrome browser. The vulnerability is the fifth zero-day flaw in the Google browser that is exploited in the […] Russia-linked APT28 targets government Polish institutions CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked
cve-2023-49606
cve-2024-1597
cve-2023-48788
cve-2024-26234
Must Read - Security Affairs
2023-08-27
Must Read - Security Affairs | News Content: MITRE attributes the recent attack to China-linked UNC5221 MITRE published more details on the recent security breach, including a timeline of the attack and attribution evidence. MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities. In April 2024, MITRE disclosed a security breach in one of its research […] Alexander Vinnik, the operator of BTC-e exchange, pleaded guilty to money laundering Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in
google.com
rss
forum
news
Must Read - Security Affairs
2023-08-27
Must Read - Security Affairs | News Content: El Salvador suffered a massive leak of biometric data Resecurity found a massive leak involving the exposure of personally identifiable information (PII) of over five million citizens of El Salvador on the Dark Web. Resecurity identified a massive leak of the personally identifiable information (PII) of over five million citizens from El Salvador on the Dark Web, impacting more than 80% of the country’s […] Finland authorities warn of Android malware campaign targeting bank users Finland’s Transport and Communications Agency (Traficom) warned about an ongoing Android malware campaign targeting bank accounts. Traficom, Finland
google.com
rss
forum
news
Must Read - Security Affairs
2023-08-27
Must Read - Security Affairs | Description: NATO and the European Union formally condemned cyber espionage operations carried out by the Russia-linked APT28 against European countries. NATO and the European Union condemned cyber espionage operations carried out by the Russia-linked threat actor APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) against European countries. This week the Federal Government condemned in the strongest possible […] | News Content: NATO and the EU formally condemned Russia-linked APT28 cyber espionage NATO and the European Union formally condemned cyber espionage operations carried out by the Russia-linked APT28 against European countries. NATO and the European Union
google.com
rss
forum
news
Must Read - Security Affairs
2023-08-27
Must Read - Security Affairs | News Content: Blackbasta gang claimed responsibility for Synlab Italia attack The Blackbasta extortion group claimed responsibility for the attack that in April severely impacted the operations of Synlab Italia. Since April 18, Synlab Italia, a major provider of medical diagnosis services, has been experiencing disruptions due to a cyber attack. The company initially cited technical issues as the cause leading to “temporary interruption of access […] LockBit published data stolen from Simone Veil hospital in Cannes LockBit ransomware operators have published sensitive data allegedly stolen from the Simone Veil hospital in Cannes. In April, a cyber attack
google.com
rss
forum
news
Must Read - Security Affairs
2023-08-27
Must Read - Security Affairs | News Content: LockBit published data stolen from Simone Veil hospital in Cannes LockBit ransomware operators have published sensitive data allegedly stolen from the Simone Veil hospital in Cannes. In April, a cyber attack hit the Hospital Simone Veil in Cannes (CHC-SV), impacting medical procedures and forcing personnel to return to pen and paper. Non-urgent surgical procedures and consultations scheduled at the time of the attack were postponed. The French […] Russia-linked APT28 and crooks are still using the Moobot botnet The Ubiquiti EdgeRouter botnet is still used by Russia-linked group APT28 and cybercriminals
google.com
rss
forum
news

Social Media

Cisco has fixed a vulnerability (CVE-2024-20337) in its Secure Client enterprise VPN solution that could reveal: https://t.co/BTr19A0oiS
0
0
1
Cisco has fixed a vulnerability (CVE-2024-20337) in its Secure Client enterprise VPN solution that could reveal: https://t.co/BTr19A0oiS
0
0
0
CVE-2024-20337: @PaulosYibelo reported a way to break into cisco vpns when a trusted user clicks a link, CVSS 8.2. cisco released a patch in march
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

CWE Details

CWE IDCWE NameDescription
CWE-93Improper Neutralization of CRLF Sequences ('CRLF Injection')The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence