Cisco AnyConnect Secure Mobility Client 2.0.0343 through 4.1.0 DLL Side Loading Local Privilege Escalation

High Log Correlation Engine Plugin ID 801959

Synopsis

Cisco AnyConnect Secure Mobility Client 2.0.0343 through 4.1.0 for Windows contains a vulnerability that could allow an authenticated, local attacker to gain elevated privileges.

Description

A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account.

The vulnerability is due to lack of checks in the code for the path to the downloader application and associated DLLs. An attacker could exploit this vulnerability by executing the downloader application from outside its expected location and providing a set of crafted DLLs. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account.

Functional code that exploits this vulnerability is publicly available.

Solution

We are not currently aware of a solution for this vulnerability.

See Also

http://www.cisco.com/

https://tools.cisco.com/bugsearch/bug/CSCuv01279

http://tools.cisco.com/security/center/viewAlert.x?alertId=41136

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150922-CVE-2015-6305

http://seclists.org/fulldisclosure/2015/Sep/80

https://www.securify.nl/advisory/SFY20150601/cisco_anyconnect_elevation_of_privileges_via_dll_side_loading.html

https://code.google.com/p/google-security-research/issues/detail?id=460

https://packetstormsecurity.com/files/133658/Cisco-AnyConnect-DLL-Side-Loading-Privilege-Escalation.html

https://packetstormsecurity.com/files/133876/Cisco-AnyConnect-Secure-Mobility-Client-3.1.08009-Privilege-Elevation.html

Plugin Details

Severity: High

ID: 801959

Family: Generic

Nessus ID: 86302

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Vulnerability Publication Date: 2015/09/22

Reference Information

CVE: CVE-2015-6305