ASA-2018-00044 – SwitchVPN: Insecure update process allows remote code execution

The update process in the SwitchVPN client is vulnerable to a MiTM (man-in-the-middle) attack. The client either checks for the availability of a new version using the integrated auto-update function, or the user can manually initiate an update using an update utility. Version information is pulled from a remote XML file and compared to the version number of the currently installed SwitchVPN client. All requests are transmitted over HTTP, which means that an attacker on the same network is able to intercept and manipulate the traffic. This means, an attacker can trigger the SwitchVPN client to download a malicious update package which will be installed on the device. In addition to that, an attacker is able to implant an installation script (installscript.qs) which will get executed immediately with elevated privileges. When auto-update is enabled (which is the default setting), this process happens completely transparent to the user.