Cisco AnyConnect Secure Mobility Client for Windows Privilege Escalation Vulnerability

ITS Advisory Number: 
2015-116
Date(s) Issued: 
Thursday, September 24, 2015
Subject: 
Cisco AnyConnect Secure Mobility Client for Windows Privilege Escalation Vulnerability
Overview: 

A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account.  Cisco AnyConnect Secure Mobility Client for Windows is a unified agent that delivers multiple security services to help enable and protect the enterprise.



The vulnerability is due to a lack of checks in the code for the path to the downloader application and associated DLLs. An attacker could exploit this vulnerability by executing the downloader application from outside its expected location and providing a set of crafted DLLs. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account.

Systems Affected: 
  • Cisco AnyConnect Secure Mobility Client 2.0.0343
  • Cisco AnyConnect Secure Mobility Client 2.1.0148
  • Cisco AnyConnect Secure Mobility Client 2.2.0133
  • Cisco AnyConnect Secure Mobility Client 2.2.0136
  • Cisco AnyConnect Secure Mobility Client 2.2.0140
  • Cisco AnyConnect Secure Mobility Client 2.3.0185
  • Cisco AnyConnect Secure Mobility Client 2.3.0254
  • Cisco AnyConnect Secure Mobility Client 2.3.1003
  • Cisco AnyConnect Secure Mobility Client 2.3.2016
  • Cisco AnyConnect Secure Mobility Client 2.4.0202
  • Cisco AnyConnect Secure Mobility Client 2.4.1012
  • Cisco AnyConnect Secure Mobility Client 2.5 Base
  • Cisco AnyConnect Secure Mobility Client 2.5.0217
  • Cisco AnyConnect Secure Mobility Client 2.5.2006
  • Cisco AnyConnect Secure Mobility Client 2.5.2010
  • Cisco AnyConnect Secure Mobility Client 2.5.2011
  • Cisco AnyConnect Secure Mobility Client 2.5.2014
  • Cisco AnyConnect Secure Mobility Client 2.5.2017
  • Cisco AnyConnect Secure Mobility Client 2.5.2018
  • Cisco AnyConnect Secure Mobility Client 2.5.2019
  • Cisco AnyConnect Secure Mobility Client 2.5.3041
  • Cisco AnyConnect Secure Mobility Client 2.5.3046
  • Cisco AnyConnect Secure Mobility Client 2.5.3051
  • Cisco AnyConnect Secure Mobility Client 2.5.3054
  • Cisco AnyConnect Secure Mobility Client 2.5.3055
  • Cisco AnyConnect Secure Mobility Client 3.0.0
  • Cisco AnyConnect Secure Mobility Client 3.0.0629
  • Cisco AnyConnect Secure Mobility Client 3.0.1047
  • Cisco AnyConnect Secure Mobility Client 3.0.2052
  • Cisco AnyConnect Secure Mobility Client 3.0.3050
  • Cisco AnyConnect Secure Mobility Client 3.0.3054
  • Cisco AnyConnect Secure Mobility Client 3.0.4235
  • Cisco AnyConnect Secure Mobility Client 3.0.5075
  • Cisco AnyConnect Secure Mobility Client 3.0.5080
  • Cisco AnyConnect Secure Mobility Client 3.0.09231
  • Cisco AnyConnect Secure Mobility Client 3.0.09266
  • Cisco AnyConnect Secure Mobility Client 3.0.09353
  • Cisco AnyConnect Secure Mobility Client 3.1.0
  • Cisco AnyConnect Secure Mobility Client 3.1.02043
  • Cisco AnyConnect Secure Mobility Client 3.1.05182
  • Cisco AnyConnect Secure Mobility Client 3.1.05187
  • Cisco AnyConnect Secure Mobility Client 3.1.06073
  • Cisco AnyConnect Secure Mobility Client 3.1.07021
  • Cisco AnyConnect Secure Mobility Client 3.1 (60)
  • Cisco AnyConnect Secure Mobility Client 4.0.0
  • Cisco AnyConnect Secure Mobility Client 4.0.00048
  • Cisco AnyConnect Secure Mobility Client 4.0.00051
  • Cisco AnyConnect Secure Mobility Client 4.0 (64)
  • Cisco AnyConnect Secure Mobility Client 4.0 (48)
  • Cisco AnyConnect Secure Mobility Client 4.0 (2049)
  • Cisco AnyConnect Secure Mobility Client 4.1.0
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account.  An authenticated, local attacker could exploit this vulnerability by executing the downloader application from outside its expected location and providing a set of crafted DLLs. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account, which could result in a complete system compromise.  To exploit this vulnerability an attacker must authenticate and have local access to the targeted system.

  • CVE-2015-4211 - There is a patch is available from Cisco
  • CVE-2015-6305 - There is no patch available at this time
Actions: 
  • After appropriate testing, apply appropriate patches provided by Cisco to vulnerable systems.
  • Allow only trusted users to access systems that have the Cisco AnyConnect Secure Mobility Client for Windows installed.