Cisco AnyConnect Secure Mobility Client for Windows DLL and Executable Hijacking Vulnerabilities

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

Details about the vulnerabilities are as follows.

Cisco AnyConnect Secure Mobility Client for Windows Uninstall Executable Hijacking Vulnerability

A vulnerability in the uninstall process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.

This vulnerability exists because a temporary file with insecure permissions is created during the uninstall process. An attacker could exploit this vulnerability by overwriting the temporary file before it is accessed for execution. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvv43102, CSCvv60844
CVE ID(s): CVE-2021-1426
Security Impact Rating (SIR): High
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Cisco AnyConnect Secure Mobility Client for Windows Upgrade DLL Hijacking Vulnerabilities 

Two vulnerabilities in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.

These vulnerabilities exist because the application loads a DLL file from a user-writable directory. An attacker could exploit these vulnerabilities by copying a malicious DLL file to a specific directory. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit these vulnerabilities, the attacker must have valid credentials on the Windows system.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Bug ID(s): CSCvw16996, CSCvw17005
CVE ID(s): CVE-2021-1427, CVE-2021-1428
Security Impact Rating (SIR): High
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Cisco AnyConnect Secure Mobility Client for Windows Upgrade Executable Hijacking Vulnerability 

A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.

This vulnerability exists because a temporary file with insecure permissions is created during the upgrade process. An attacker could exploit this vulnerability by overwriting the temporary file before it is accessed for execution. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvw18527
CVE ID(s): CVE-2021-1429
Security Impact Rating (SIR): High
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Cisco AnyConnect Secure Mobility Client for Windows Upgrade DLL Hijacking Vulnerability 

A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.

This vulnerability exists because a temporary file with insecure permissions is created during the upgrade process. An attacker could exploit this vulnerability by overwriting the temporary file before it is accessed for execution. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvw18595
CVE ID(s): CVE-2021-1430
Security Impact Rating (SIR): High
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Cisco AnyConnect Secure Mobility Client for Windows Install Executable Hijacking Vulnerability

A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.

This vulnerability exists because the application loads an executable file from a user-writable directory. An attacker could exploit this vulnerability by copying a malicious executable file to a specific directory, which would be executed when the application is installed or upgraded. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCvu77671
CVE ID(s): CVE-2021-1496
Security Impact Rating (SIR): High
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-12867 : ARCTIC SECURITY ARCTIC HUB UP TO 5.5.1872 CONFIGURATION SERVER-SIDE REQUEST FORGERY

CVE-2024-12867 : ARCTIC SECURITY ARCTIC HUB UP TO 5.5.1872 CONFIGURATION SERVER-SIDE REQUEST FORGERY

Description Server-Side Request Forgery in URL Mapper in Arctic Security’s Arctic Hub versions 3.0.1764-5.6.1877 allows an unauthenticated remote attacker to

CVE-2024-12840 : RED HAT SATELLITE HTTP PROXY SERVER-SIDE REQUEST FORGERY

CVE-2024-12840 : RED HAT SATELLITE HTTP PROXY SERVER-SIDE REQUEST FORGERY

Description A server-side request forgery exists in Satellite. When a PUT HTTP request is made to /http_proxies/test_connection, when supplied with

CVE-2024-51466 : IBM COGNOS ANALYTICS UP TO 11.2.4 FP4/12.0.4 EL EXPRESSION LANGUAGE INJECTION

CVE-2024-51466 : IBM COGNOS ANALYTICS UP TO 11.2.4 FP4/12.0.4 EL EXPRESSION LANGUAGE INJECTION

Description IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection