CVE-2015-6305

Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://tools.cisco.com/security/center/viewAlert.x?alertId=41136	Vendor Advisory
https://code.google.com/p/google-security-research/issues/detail?id=460	Exploit Vendor Advisory
http://packetstormsecurity.com/files/133876/Cisco-AnyConnect-Secure-Mobility-Client-3.1.08009-Privilege-Elevation.html	Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/38289/	Exploit Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1033643	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2015/Sep/80	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.1.0.148:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.0136:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.2016:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.4.1012:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2017:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2019:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.0629:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.2052:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.5080:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.09266:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.07021:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0.00051:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5_base:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.5075:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.0.0343:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.3050:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.0217:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0.0:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2011:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2010:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0\(2049\):::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.1047:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0.00048:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.0:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0\(48\):::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2014:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.3054:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.4235:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2006:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0\(64\):::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.4.0202:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.0133:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2018:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3046:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3041:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.05182:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.09231:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.0:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.02043:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.0140:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.0254:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3051:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1\(60\):::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.1.0:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.09353:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.06073:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.0185:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.1003:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3054:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3055:::::::*
	cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.05187:::::::*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Information

Published : 2015-09-25 18:59

Updated : 2016-12-12 11:01

NVD link : CVE-2015-6305

Mitre link : CVE-2015-6305

JSON object : View

CWE

CWE-426

Untrusted Search Path

Products Affected

cisco

anyconnect_secure_mobility_client

microsoft

windows

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=41136", "name": "20150922 Cisco AnyConnect Secure Mobility Client for Windows Privilege Escalation Vulnerability", "tags": ["Vendor Advisory"], "refsource": "CISCO"}, {"url": "https://code.google.com/p/google-security-research/issues/detail?id=460", "name": "https://code.google.com/p/google-security-research/issues/detail?id=460", "tags": ["Exploit", "Vendor Advisory"], "refsource": "MISC"}, {"url": "http://packetstormsecurity.com/files/133876/Cisco-AnyConnect-Secure-Mobility-Client-3.1.08009-Privilege-Elevation.html", "name": "http://packetstormsecurity.com/files/133876/Cisco-AnyConnect-Secure-Mobility-Client-3.1.08009-Privilege-Elevation.html", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://www.exploit-db.com/exploits/38289/", "name": "38289", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securitytracker.com/id/1033643", "name": "1033643", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "SECTRACK"}, {"url": "http://seclists.org/fulldisclosure/2015/Sep/80", "name": "20150922 Cisco AnyConnect elevation of privileges via DLL side loading", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "FULLDISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-426"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-6305", "ASSIGNER": "psirt@cisco.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-09-26T01:59Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.1.0.148:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.0136:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.2016:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.4.1012:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2017:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2019:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.0629:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.2052:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.5080:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.09266:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.07021:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0.00051:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5_base:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.5075:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.0.0343:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.3050:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.0217:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2011:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2010:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0\\(2049\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.1047:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0.00048:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0\\(48\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2014:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.3054:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.4235:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2006:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.0\\(64\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.4.0202:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.0133:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.2018:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3046:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3041:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.05182:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.09231:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.02043:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.0140:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.0254:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3051:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1\\(60\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0.09353:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.06073:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.0185:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.1003:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3054:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5.3055:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.1.05187:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-12-12T19:01Z"}

7.2 /10