Very Pwnable Network (VPN)

This research starts with a weird series of crashes on Jiska's iPhone. Due to her ongoing paranoia, she decided to use a VPN, and because she had to trust her university's network anyway, she decided to use her university's Cisco VPN service. Obviously, this did not go well, and soon she had crash logs with memory accesses to invalid addresses, because these addresses were representing Strings?! These errors only occurred when she had bad network connectivity and no debugging enabled, so nobody was able to reproduce them. Either way, to start analyzing Cisco AnyConnect security, the more accessible Linux client was the first option. Gerbert did a detailed analysis and documented how this client works, since there was no documentation at all and users basically install a black box on their system. The application is by no means just a VPN client anymore. In addition to VPN connections, the application offers a number of special features like auto updating, file deployment and host assessment. The AnyConnect Linux client is even able to execute arbitrary scripts provided by the server, thus, the user needs to ultimately trust the AnyConnect provider. Even if this trust assumption holds true, the client is so complex that various attack vectors become possible. Gerbert found two vulnerabilities resulting in three attack scenarios. One of the issues was fixed without being assigned a CVE, the other one got CVE-2020-3556. Matthias continued with the iOS client, which is even harder to analyze than the closed-source Linux client. Since many Linux features are not available on iOS and the client has a completely different design, the previously found attacks do not apply. However, he will show the general architecture of this iOS Cisco AnyConnect Network Extension.