Cisco AnyConnect Secure Mobility Client for OS X is affected by a vulnerability that allows local attackers to mount arbitrary DMG files at arbitrary mount points. By exploiting this vulnerability is is possible for the attacker to gain root privileges. Cisco reports that a similar issue also exists in Cisco AnyConnect Secure Mobility Client for Linux.
66660159f211f495d60f7ca1acea5dbe4e444722621da4f69354d6747a67fc1bThe installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers to execute code on the affected machine with with system level privileges. Both attacks consist in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service.
74ae12d312c6c46fa9f122b2a106d803de515d0b707dfe34720c066dd56a2680The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to version 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service will then launch the vulnerable installer component (vpndownloader), which copies itself to an arbitrary location before being executed with system privileges. Since vpndownloader is also vulnerable to DLL hijacking, a specially crafted DLL (dbghelp.dll) is created at the same location vpndownloader will be copied to get code execution with system privileges. This exploit has been successfully tested against Cisco AnyConnect Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10 version 1909 (x64) and Windows 7 SP1 (x86).
b6d44c2b494378ff342fef57be9d4be4564327103eadabb01ff166ae6dae9bffCisco AnyConnect Secure Mobility Client for Windows version 4.8.01090 suffer from a privilege escalation vulnerability due to insecure handling of path names.
8ee614424eee5c4644b331ca89e2c2afc6470c9c8941cb5e0f7d3280686ef76cDebian Linux Security Advisory 4607-1 - Lukas Kupczyk reported a vulnerability in the handling of chunked HTTP in openconnect, an open client for Cisco AnyConnect, Pulse and GlobalProtect VPN. A malicious HTTP server (after having accepted its identity certificate), can provide bogus chunk lengths for chunked HTTP encoding and cause a heap-based buffer overflow.
4f4e3fff7bd0509ce1ac161fec38bfda002f9e838f665c2090308e3d7194c086Cisco AnyConnect Secure Mobility Client version 4.6.01099 suffers from a denial of service vulnerability.
c6e0c15d91b91207790a50bd4ffc241b9d7758952646e0f4bb8076175cafe939Cisco AnyConnect Start Before Logon (SBL) versions 4.3.04027 and below suffer from a local privilege escalation vulnerability.
a940cb43f59488ff489670ff1c373d98a9bcd072247f920b103d88a5edb179d8Cisco Security Advisory - A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system.
02b9c6f4f6e737456c42c90aad2a3b6e1af83ca3854fb613d016ca479d142536Cisco AnyConnect Secure Mobility Client version 3.1.08009 suffers from a privilege escalation vulnerability. The fix for CVE-2015-4211 is insufficient which allows a local application to elevate to local system through the CMainThread::launchDownloader command.
d8d8aba2be2bbe07e77874ac6db9c506cab1e1e1d4012296e7b37ab6841902a0Cisco AnyConnect Secure Mobility Client for Windows is affected by an vulnerability that allows local attackers to execute arbitrary DLL files with elevated privilege. By exploiting this vulnerability is is possible for the attacker to gain SYSTEM privileges.
6e297eee712fe356db2c53d7b036bfdab4084dfcf2f39784ebf1a1798f5494f2Cisco AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code.
dac7411f05283d661db0270e17445520d8333ee834fc62e65065a63168d12eafCisco Security Advisory - The Cisco AnyConnect Secure Mobility Client is affected by multiple vulnerabilities including code execution. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. Revision 2.0 of this advisory corrects an inadvertent omission in the original advisory, which failed to list that the fixes also address a vulnerability in Cisco Secure Desktop, described by CVE-2012-4655.
a52f6d5d083fc974978078f9cbd107d63b02f06d64a888f00c4f24dcfdc3931dZero Day Initiative Advisory 12-156 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco AnyConnect VPN Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to insufficient signature checks with the Cisco AnyConnect VPN Client. When the client is invoked through the ActiveX control it downloads and checks a file called vpndownloader.exe. This file has to be properly signed by Cisco. Once this file is downloaded it is run and downloads additional configuration files. Within the downloaded config file it is possible to force a download of executable files. Those files are not properly checked for valid certificates and are run on the host as soon as they are downloaded.
bb507fe8757aaf4a980506dd8a097f561be4b5b256078e3bd81e13cc1436b65eZero Day Initiative Advisory 12-149 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco AnyConnect VPN Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists because the VPN AnyConnect helper program does not check the version number of the vpndownloader.exe program it downloads. As such it is possible to forcefully install an older version of the vpndownloader.exe that is vulnerable to previously patched issues.
75dc16487817f808542467ad8adc6967577a1b02ed4a8410431a230537dc12d4Secunia Security Advisory - Two vulnerabilities have been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious people to compromise a user's system.
820a95f8c9eb5bd946d54eee1052b23b67e15c7f5466e8ddfd2b11bf1d39bfd6Cisco Security Advisory - The Cisco AnyConnect Secure Mobility Client is affected by multiple vulnerabilities including code execution. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
08cfe7a215d929cba091f6ca3cd541e7690b6f415bf90d797eed5ce00256ce26Debian Linux Security Advisory 2495-1 - A buffer overflow was discovered in OpenConnect, a client for the Cisco AnyConnect VPN, which could result in denial of service.
442b6bf476818c5707cbcf2328190e8b4cc3499ff967a3ec60ad5c4de6262e62This Metasploit module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed.
ef1996fa8324f29a9b671331d440a114bd14ca14534139ba1cdb0b9541a1ba33iDefense Security Advisory 06.01.11 - Remote exploitation of a design error within Cisco Systems Inc's AnyConnect VPN client allows attackers to execute arbitrary code with the privileges of a user running Internet Explorer. Cisco AnyConnect VPN client versions prior to 2.3.185 for Windows, 2.5.3041 and 3.0.629 for Linux and Apple Mac OS X are vulnerable.
96607ad5bdb47410c34ae00de556f9b206fa53b2e1d72debfc2be9cac1c836fdSecunia Security Advisory - Two vulnerabilities have been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious people with physical access to bypass certain security restrictions and by malicious people to compromise a user's system.
0a7a8abaf3b3ec668628e8b6274c2cd00a6b065cc298825f5b11b3828c3b1bbaCisco Security Advisory - The Cisco AnyConnect Secure Mobility Client, previously known as the Cisco AnyConnect VPN Client, is affected by arbitrary program execution and local privilege escalation vulnerabilities. There are no workarounds for the vulnerabilities described in this advisory.
b6f62c24ad600052d82c60490ef64ffb9b47d1a6b4fbb76139a5453a3b92aadfSecunia Security Advisory - A vulnerability has been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious, local users to gain escalated privileges.
f4c7074942e1fac4649bc36f2facfee82edb9b9b75aab74f359555fb981674db
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed