Details of VAR-201509-0004

ID

VAR-201509-0004

CVE

CVE-2015-6305

TITLE

Windows Run on Cisco AnyConnect Secure Mobility Client of vpndownloader.exe Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2015-004957

DESCRIPTION

Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211. Vendors have confirmed this vulnerability Bug ID CSCuv01279 It is released as. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlA local user can create a Trojan horse in the current working directory. DLL You may get permission through. A local attacker may exploit this issue to gain elevated system privileges on the device

Trust: 1.98

sources: NVD: CVE-2015-6305 // JVNDB: JVNDB-2015-004957 // BID: 76817 // VULHUB: VHN-84266

AFFECTED PRODUCTS

vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3046	Trust: 1.9
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3041	Trust: 1.9
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2014	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.0	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2018	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2019	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3055	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3051	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3054	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.0629	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.09266	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.06073	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.07021	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.0	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.0185	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0\(64\)	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.0254	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.1.0.148	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2017	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5_base	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.0136	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.5075	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.2052	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.1003	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.3054	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.0202	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.0140	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2006	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.4235	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0\(2049\)	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.0.0343	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0.0	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.0133	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.1047	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.05187	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0\(48\)	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0.00051	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.1012	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.5080	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.3050	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.1.0	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.09231	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.0.00048	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2011	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.02043	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.0217	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.09353	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1.05182	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.2016	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1\(60\)	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.2010	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.0 to 4.1.0	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5	Trust: 0.3

sources: BID: 76817 // JVNDB: JVNDB-2015-004957 // CNNVD: CNNVD-201509-543 // NVD: CVE-2015-6305

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6305
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-6305
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201509-543
value:	HIGH
Trust: 0.6
VULHUB:	VHN-84266
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-6305
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-84266
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-84266 // JVNDB: JVNDB-2015-004957 // CNNVD: CNNVD-201509-543 // NVD: CVE-2015-6305

PROBLEMTYPE DATA

problemtype:	CWE-426	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-84266 // JVNDB: JVNDB-2015-004957 // NVD: CVE-2015-6305

THREAT TYPE

local

Trust: 0.9

sources: BID: 76817 // CNNVD: CNNVD-201509-543

TYPE

Design Error

Trust: 0.3

sources: BID: 76817

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004957

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-84266

PATCH

title:	Issue 460	url:	https://code.google.com/p/google-security-research/issues/detail?id=460	Trust: 0.8
title:	41136	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=41136	Trust: 0.8

sources: JVNDB: JVNDB-2015-004957

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6305	Trust: 2.8
db:	EXPLOIT-DB	id:	38289	Trust: 1.1
db:	PACKETSTORM	id:	133876	Trust: 1.1
db:	SECTRACK	id:	1033643	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-004957	Trust: 0.8
db:	CNNVD	id:	CNNVD-201509-543	Trust: 0.7
db:	BID	id:	76817	Trust: 0.4
db:	PACKETSTORM	id:	133658	Trust: 0.1
db:	VULHUB	id:	VHN-84266	Trust: 0.1

sources: VULHUB: VHN-84266 // BID: 76817 // JVNDB: JVNDB-2015-004957 // CNNVD: CNNVD-201509-543 // NVD: CVE-2015-6305

REFERENCES

url:	http://tools.cisco.com/security/center/viewalert.x?alertid=41136	Trust: 2.0
url:	https://code.google.com/p/google-security-research/issues/detail?id=460	Trust: 1.7
url:	https://www.exploit-db.com/exploits/38289/	Trust: 1.1
url:	http://seclists.org/fulldisclosure/2015/sep/80	Trust: 1.1
url:	http://packetstormsecurity.com/files/133876/cisco-anyconnect-secure-mobility-client-3.1.08009-privilege-elevation.html	Trust: 1.1
url:	http://www.securitytracker.com/id/1033643	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6305	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6305	Trust: 0.8
url:	http://www.cisco.com/en/us/products/ps10884/index.html	Trust: 0.3
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-84266 // BID: 76817 // JVNDB: JVNDB-2015-004957 // CNNVD: CNNVD-201509-543 // NVD: CVE-2015-6305

CREDITS

Google Project Zero and Mr. Yorick Koster of Securify B.V.

Trust: 0.3

sources: BID: 76817

SOURCES

db:	VULHUB	id:	VHN-84266
db:	BID	id:	76817
db:	JVNDB	id:	JVNDB-2015-004957
db:	CNNVD	id:	CNNVD-201509-543
db:	NVD	id:	CVE-2015-6305

LAST UPDATE DATE

2024-11-23T22:45:56.479000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-84266	date:	2016-12-12T00:00:00
db:	BID	id:	76817	date:	2016-07-06T14:42:00
db:	JVNDB	id:	JVNDB-2015-004957	date:	2015-09-30T00:00:00
db:	CNNVD	id:	CNNVD-201509-543	date:	2015-09-28T00:00:00
db:	NVD	id:	CVE-2015-6305	date:	2024-11-21T02:34:44.527

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-84266	date:	2015-09-26T00:00:00
db:	BID	id:	76817	date:	2015-09-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-004957	date:	2015-09-30T00:00:00
db:	CNNVD	id:	CNNVD-201509-543	date:	2015-09-28T00:00:00
db:	NVD	id:	CVE-2015-6305	date:	2015-09-26T01:59:09.627