// For flags

CVE-2020-3153

Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

8
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

Una vulnerabilidad en el componente installer de Cisco AnyConnect Secure Mobility Client para Windows, podría permitir a un atacante local autenticado copiar archivos suministrados por el usuario hacia directorios de nivel de sistema con privilegios de nivel system. La vulnerabilidad es debido al manejo incorrecto de las rutas de directorio. Un atacante podría explotar esta vulnerabilidad mediante la creación de un archivo malicioso y al copiar el archivo en un directorio del sistema. Una explotación podría permitir al atacante copiar archivos maliciosos en ubicaciones arbitrarias con privilegios de nivel system. Esto podría incluir la precarga de DLL, el secuestro de DLL y otros ataques relacionados. Para explotar esta vulnerabilidad, el atacante necesita credenciales válidas sobre el sistema Windows.

The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers to execute code on the affected machine with with system level privileges. Both attacks consist in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service.

Cisco AnyConnect Secure Mobility Client for Windows allows for incorrect handling of directory paths. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Complete
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-12-12 CVE Reserved
  • 2020-02-19 CVE Published
  • 2020-05-04 First Exploit
  • 2022-10-24 Exploited in Wild
  • 2022-11-14 KEV Due Date
  • 2023-03-08 EPSS Updated
  • 2024-09-16 CVE Updated
CWE
  • CWE-427: Uncontrolled Search Path Element
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Anyconnect Secure Mobility Client
Search vendor "Cisco" for product "Anyconnect Secure Mobility Client"
 < 4.8.02042
Search vendor "Cisco" for product "Anyconnect Secure Mobility Client" and version " < 4.8.02042"
windows
Affected