Two security vulnerabilities in Cisco AnyConnect Secure Mobility Client. Correct immediately

Two security vulnerabilities in Cisco AnyConnect Secure Mobility Client for Windows are being used in the wild, Cisco informed today. This alert supports Monday’s statement by the Cybersecurity and Infrastructure Security Agency (CISA) that the two security flaws have been added to its list of “known exploited vulnerabilities.”

An authorized local intruder might be able to launch a DLL hijacking attack through a flaw in the interprocess communication channel (IPC) of the Cisco AnyConnect Secure Mobility Client for Windows. The intruder would need to obtain legitimate Windows computer access credentials in order to exploit this flaw.

The poor runtime resource check of the application is the cause of the bug. By sending the AnyConnect process a specially crafted IPC message, an adversary could take advantage of this weakness. With a successful exploit, the attacker might be able to execute arbitrary code with SYSTEM privileges on the impacted computer. The adversary would have to obtain legitimate Windows system access credentials in order to exploit this vulnerability.

Software patches from Cisco have been released to resolve this issue. There is no alternative.

Exploit code

Since a proof-of-concept attack for this CVE is currently available online, it could be related to the Windows elevation of privilege issue.

An authorized local intruder can copy user-provided files into system-level folders with system-level rights if the Cisco AnyConnect Secure Mobility Client for Windows installer contains a flaw.

The incorrect handling of directory paths is the cause of the bug. This flaw can be used by an intruder by creating a malicious payload and moving it to a system directory. An exploit can provide the adversary with the ability to transfer malicious files with system-level privileges to any location. DLL preloading, DLL hijacking, and other similar attacks could fall into this category. The adversary needs legitimate Windows system credentials to exploit this issue.

Software upgrades from Cisco have been made available to correct the defect mentioned in this advisory. There are no solutions to this weakness.

Exploit code

Since a proof-of-concept attack for this CVE is currently available online, it could be related to the Windows elevation of privilege issue.

Comments are closed.