Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability

medium Nessus Plugin ID 134164

Synopsis

The remote device is missing a vendor-supplied security patch

Description

A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges.
The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvs46327

See Also

http://www.nessus.org/u?4657eb24

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs46327

Plugin Details

Severity: Medium

ID: 134164

File Name: cisco-sa-ac-win-path-traverse-qO4HWBsj.nasl

Version: 1.21

Type: local

Agent: windows

Family: Windows

Published: 2/28/2020

Updated: 2/3/2023

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.5

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2020-3153

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:anyconnect_secure_mobility_client

Required KB Items: installed_sw/Cisco AnyConnect Secure Mobility Client, SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/19/2020

Vulnerability Publication Date: 2/19/2020

CISA Known Exploited Vulnerability Due Dates: 11/14/2022

Exploitable With

Core Impact

Metasploit (Cisco AnyConnect Priv Esc through Path Traversal)

Reference Information

CVE: CVE-2020-3153

CWE: 427

CISCO-SA: cisco-sa-ac-win-path-traverse-qO4HWBsj

IAVA: 2020-A-0080-S

CISCO-BUG-ID: CSCvs46327