Cisco AnyConnect Network Access Manager TLS Certificate Management Subsystem certificate validation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.9 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, has been found in Cisco AnyConnect Network Access Manager and AnyConnect Secure Mobility Client. Affected is an unknown function of the component TLS Certificate Management Subsystem. This manipulation causes certificate validation. The identification of this vulnerability is CVE-2018-0334. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.
Details
A vulnerability was found in Cisco AnyConnect Network Access Manager and AnyConnect Secure Mobility Client (Network Encryption Software) (affected version unknown). It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component TLS Certificate Management Subsystem. The manipulation with an unknown input leads to a certificate validation vulnerability. The CWE definition for the vulnerability is CWE-295. The product does not validate, or incorrectly validates, a certificate. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
A vulnerability in the certificate management subsystem of Cisco AnyConnect Network Access Manager and of Cisco AnyConnect Secure Mobility Client for iOS, Mac OS X, Android, Windows, and Linux could allow an unauthenticated, remote attacker to bypass the TLS certificate check when downloading certain configuration files. The vulnerability is due to improper use of Simple Certificate Enrollment Protocol and improper server certificate validation. An attacker could exploit this vulnerability by preparing malicious profile and localization files for Cisco AnyConnect to use. A successful exploit could allow the attacker to remotely change the configuration profile, a certificate, or the localization data used by AnyConnect Secure Mobility Client. Cisco Bug IDs: CSCvh23141.
The bug was discovered 06/06/2018. The weakness was shared 06/07/2018 with Cisco as cisco-sa-20180606-AnyConnect-c as confirmed advisory (Website). It is possible to read the advisory at tools.cisco.com. This vulnerability is known as CVE-2018-0334 since 11/27/2017. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1587.003 according to MITRE ATT&CK.
The vulnerability scanner Nessus provides a plugin with the ID 110563 (Cisco AnyConnect Secure Mobility Client < 4.6.01098 Certificate Bypass Vulnerability), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows and running in the context l.
Upgrading eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Tenable (110563), SecurityFocus (BID 104430†) and SecurityTracker (ID 1041075†). Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
License
Website
- Vendor: https://www.cisco.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.1VulDB Meta Temp Score: 5.9
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 4.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Certificate validationCWE: CWE-295 / CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 110563
Nessus Name: Cisco AnyConnect Secure Mobility Client < 4.6.01098 Certificate Bypass Vulnerability
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
06/06/2017 🔍11/27/2017 🔍
06/06/2018 🔍
06/06/2018 🔍
06/07/2018 🔍
06/07/2018 🔍
06/08/2018 🔍
06/15/2018 🔍
12/26/2024 🔍
Sources
Vendor: cisco.comAdvisory: cisco-sa-20180606-AnyConnect-c
Organization: Cisco
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2018-0334 (🔍)
GCVE (CVE): GCVE-0-2018-0334
GCVE (VulDB): GCVE-100-119239
SecurityFocus: 104430 - Cisco AnyConnect Secure Mobility Client Certificate Validation Security Bypass Vulnerability
SecurityTracker: 1041075
Entry
Created: 06/08/2018 08:43Updated: 12/26/2024 23:10
Changes: 06/08/2018 08:43 (66), 02/17/2020 09:31 (7), 12/26/2024 23:10 (18)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.