Cisco AnyConnect Secure Mobility Client up to 4.4.2033 on Windows DLL Loader access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.7 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Cisco AnyConnect Secure Mobility Client up to 4.4.2033 on Windows. It has been rated as critical. This issue affects some unknown processing of the component DLL Loader. The manipulation leads to access control. This vulnerability is referenced as CVE-2017-6638. The attack can only be performed from a local environment. No exploit is available. Upgrading the affected component is advised.
Details
A vulnerability was found in Cisco AnyConnect Secure Mobility Client up to 4.4.2033 on Windows (Network Encryption Software). It has been rated as critical. This issue affects an unknown function of the component DLL Loader. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
A vulnerability in how DLL files are loaded with Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and run an executable file with privileges equivalent to the Microsoft Windows SYSTEM account. The vulnerability is due to incomplete input validation of path and file names of a DLL file before it is loaded. An attacker could exploit this vulnerability by creating a malicious DLL file and installing it in a specific system directory. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account. The attacker would need valid user credentials to exploit this vulnerability. This vulnerability affects all Cisco AnyConnect Secure Mobility Client for Windows software versions prior to 4.4.02034. Cisco Bug IDs: CSCvc97928.
The bug was discovered 06/07/2017. The weakness was published 06/08/2017 by Felix Wilhelm as cisco-sa-20170607-anyconnect as confirmed advisory (Website). It is possible to read the advisory at tools.cisco.com. The identification of this vulnerability is CVE-2017-6638 since 03/09/2017. Attacking locally is a requirement. The successful exploitation requires a simple authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
The vulnerability scanner Nessus provides a plugin with the ID 100790 (Cisco AnyConnect Secure Mobility Client < 4.4.02034 Local Privilege Escalation), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 370423 (Cisco AnyConnect Local Privilege Escalation Vulnerability).
Upgrading to version 4.4.02034 eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Tenable (100790), SecurityFocus (BID 98938†) and SecurityTracker (ID 1038627†). Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.cisco.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.8VulDB Meta Temp Score: 7.7
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
Vendor Base Score (Cisco): 7.8
Vendor Vector (Cisco): 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 100790
Nessus Name: Cisco AnyConnect Secure Mobility Client < 4.4.02034 Local Privilege Escalation
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: AnyConnect Secure Mobility Client 4.4.02034
Timeline
03/09/2017 🔍04/12/2017 🔍
06/07/2017 🔍
06/07/2017 🔍
06/07/2017 🔍
06/08/2017 🔍
06/08/2017 🔍
06/08/2017 🔍
06/14/2017 🔍
08/25/2024 🔍
Sources
Vendor: cisco.comAdvisory: cisco-sa-20170607-anyconnect
Researcher: Felix Wilhelm
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2017-6638 (🔍)
GCVE (CVE): GCVE-0-2017-6638
GCVE (VulDB): GCVE-100-102095
SecurityFocus: 98938 - Cisco AnyConnect Secure Mobility Client CVE-2017-6638 Local Privilege Escalation Vulnerability
SecurityTracker: 1038627
Entry
Created: 06/08/2017 20:21Updated: 08/25/2024 04:40
Changes: 06/08/2017 20:21 (85), 10/15/2019 16:05 (6), 08/25/2024 04:40 (18)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.