Cisco AnyConnect Secure Mobility Client 3.x < 3.1.11004.0 / 4.x < 4.1.6020.0 Privilege Escalation

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote host is affected by a privilege escalation vulnerability.

Description :

The Cisco AnyConnect Secure Mobility Client installed on the remote
host is version 3.x prior to 3.1.11004.0 or 4.x prior to 4.1.6020.0.
It is, therefore, affected by an untrusted search path flaw in the
CMainThread::launchDownloader method due to a failure to check the
path to the downloader application and associated DLL files. An
authenticated, local attacker can exploit this, via running the
downloader application from outside its expected location and
providing crafted DLLs, to execute arbitrary commands on the host with
privileges equivalent to the SYSTEM account.

Note that this vulnerability resulted from an incomplete fix for
CVE-2015-4211.

See also :

https://tools.cisco.com/security/center/viewAlert.x?alertId=41136
https://tools.cisco.com/bugsearch/bug/CSCuv01279
http://www.nessus.org/u?d12c6fa4
http://www.nessus.org/u?714e1c2a

Solution :

Upgrade to Cisco AnyConnect Secure Mobility Client version
3.1.11004.0 / 4.1.6020.0 or later.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.5
(CVSS2#E:POC/RL:U/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 86302 ()

Bugtraq ID:

CVE ID: CVE-2015-6305

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now