Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.

The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations section of this advisory.

Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093

Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 with no additional configuration required. See the Recommendations section for additional optional but recommended settings.

Upgrade instructions for systems where workarounds were previously applied

This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes or Configuration Guide.

The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:

  • Windows:<DriveLetter>:ProgramDataCiscoCisco AnyConnect Secure Mobility Client
  • macOS: /opt/cisco/anyconnect/
  • Linux: /opt/cisco/anyconnect/
AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions

Earlier than 4.9.04053

Previously deployed AnyConnectLocalPolicy.xml settings:

  • BypassDownloader= true

New AnyConnectLocalPolicy.xml settings:

  • BypassDownloader=false
  1. Upgrade to 4.10 using a predeploy method.
  2. Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
  3. Apply the new 4.10 settings shown in the Recommendations section.

4.9.04053, 4.9.05042, 4.9.06037

Previously deployed AnyConnectLocalPolicy.xml settings:

  • RestrictScriptWebDeploy=true
  • RestrictHelpWebDeploy=true
  • RestrictResourceWebDeploy=true
  • RestrictLocalizationWebDeploy=true
  • BypassDownloader=false

New AnyConnectLocalPolicy.xml settings:

  • RestrictScriptWebDeploy=false
  • RestrictHelpWebDeploy=false
  • RestrictResourceWebDeploy=false
  • RestrictLocalizationWebDeploy=false
  • BypassDownloader=false
  1. Upgrade to 4.10 using either a predeploy or webdeploy method.
  2. Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
  3. Apply the new 4.10 settings shown in the Recommendations section.

1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.

Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037

For customers who have already applied the RestrictScriptWebDeploy workaround

For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.

To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.

For customers who cannot upgrade to Release 4.10.00093 or later

For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment. 

There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes or Cisco bug ID CSCvw48062. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.

  • RestrictScriptWebDeploy
  • RestrictHelpWebDeploy
  • RestrictResourceWebDeploy
  • RestrictLocalizationWebDeploy

The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

  1. Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
    • Windows:<DriveLetter>:ProgramDataCiscoCisco AnyConnect Secure Mobility Client
    • macOS:/opt/cisco/anyconnect/
    • Linux:/opt/cisco/anyconnect/
  2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
    <RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>
    <RestrictHelpWebDeploy>false</RestrictHelpWebDeploy>
    <RestrictResourceWebDeploy>false</RestrictResourceWebDeploy>
    <RestrictLocalizationWebDeploy>false</RestrictLocalizationWebDeploy>
  3. Change that setting to true, as shown in the following example:
    <RestrictScriptWebDeploy>true</RestrictScriptWebDeploy>
    <RestrictHelpWebDeploy>true</RestrictHelpWebDeploy>
    <RestrictResourceWebDeploy>true</RestrictResourceWebDeploy>
    <RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
  4. Verify that the BypassDownloader setting is correct by looking for the following line:
    <BypassDownloader>false</BypassDownloader>
  5. If the BypassDownloader setting is true, change it to false, as shown in the following example:
    <BypassDownloader>false</BypassDownloader>
  6. Save the file to the original location. The network paths are noted above.
  7. Restart the VPN Agent service or reboot the client machine.

Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053

For customers who have already applied the BypassDownloader mitigation

For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section.

For customers who cannot upgrade to Release 4.10.00093 or later

For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.

Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.

Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:

  • All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
  • AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.

The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

  1. Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
    • Windows:<DriveLetter>:ProgramDataCiscoCisco AnyConnect Secure Mobility Client
    • macOS:/opt/cisco/anyconnect/
    • Linux: /opt/cisco/anyconnect/
  2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:
    <BypassDownloader>false</BypassDownloader>
  3. Change that setting to true, as shown in the following example:
    <BypassDownloader>true</BypassDownloader>
  4. Save the file to the original location. The network paths are noted above.
  5. Restart the VPN Agent service or reboot the client machine.