PT-2015-7168 · Cisco · Cisco Anyconnect Secure Mobility Client

Yorick Koster

Published

2015-09-25

Updated

2016-12-12

CVE-2015-6305

CVSS v2.0

7.2

High

Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Cisco AnyConnect Secure Mobility Client versions 2.0 through 4.1

Description The issue is related to an untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe. This allows local users to gain privileges via a Trojan horse DLL in the current working directory. For example, a Trojan horse dbghelp.dll can be used to exploit this issue.

Recommendations For Cisco AnyConnect Secure Mobility Client versions 2.0 through 4.1, consider restricting access to the vpndownloader.exe until a patch is available. As a temporary workaround, avoid using the CMainThread::launchDownloader function to minimize the risk of exploitation.

Exploit

Fix

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-426

Related Identifiers

CVE-2015-6305

Affected Products

Cisco Anyconnect Secure Mobility Client

PT-2015-7168 · Cisco · Cisco Anyconnect Secure Mobility Client

CVE-2015-6305

Weakness Enumeration

Related Identifiers

Affected Products

References · 7