[German]The Windows version of Cisco AnyConnect Secure Mobility client has a vulnerability in it's auto update, that can be misused for privilege escalation. A patch is available.
Advertising
A Privilege Escalation vulnerability exists in the Cisco AnyConnect Secure Mobility client for Windows. The following tweet brought this issue to my attention a few days ago.
Details for the path traversal vulnerability I discovered in the Cisco AnyConnect Secure Mobility Client for Windows are now public (CVE-2020-3153). This issue can be used to gain SYSTEM privileges:https://t.co/JIzD7iZLx1https://t.co/4wiatAbth0
— Yorick Koster (@yorickkoster) April 20, 2020
Independent security researcher Yorick Koster has reported this vulnerability in the SSD Secure Disclosure Program.
The vulnerability CVE-2020-3153
The vulnerability CVE-2020-3153 is located in the installer component of the Cisco AnyConnect Secure Mobility Client for Windows. The Cisco AnyConnect Secure Mobility Client includes features to automatically update with updates. Automatic updating also works for users with low privileges because it is initiated by a service called the Cisco AnyConnect Secure Mobility Agent and runs with SYSTEM privileges. This service exposes TCP port 62522 on the loopback device, which clients can connect to and send commands to be processed by this service. One of these commands is to start the vpndownloader application and update AnyConnect.
A vulnerability has been discovered that could allow an authenticated local attacker to abuse this auto-update feature to copy files provided by standard user accounts to system-level directories with the required system permissions.
Advertising
The vulnerability is due to incorrect handling of directory paths (directory traversal). An attacker could exploit this vulnerability by creating a malicious file and having the file copied to a system directory. The vulnerability may allow the attacker to copy files containing malicious software to any location with system-level permissions. This could include DLL preloading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.
Patch available
According to Yorick Koster, the vulnerability affects the Cisco AnyConnect Secure Mobility Client for Windows beforeand up to version 4.8.01090. Cisco released an advisory and a patch tovVersion 4.8.02042 on April 19. Details can be found on this website.
