Details of VAR-202011-0730

ID

VAR-202011-0730

CVE

CVE-2020-27123

TITLE

Windows for Cisco AnyConnect Secure Mobility Client Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-009714

DESCRIPTION

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to read arbitrary files on the underlying operating system of an affected device. The vulnerability is due to an exposed IPC function. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process on an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device

Trust: 1.71

sources: NVD: CVE-2020-27123 // JVNDB: JVNDB-2020-009714 // VULHUB: VHN-370493

AFFECTED PRODUCTS

vendor:	cisco	model:	anyconnect secure mobility client	scope:	lt	version:	4.9.03047	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-009714 // NVD: CVE-2020-27123

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-27123
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-27123
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-009714
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202011-301
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-370493
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-27123
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-009714
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-370493
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-27123
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 2.0
NVD:	JVNDB-2020-009714
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-370493 // JVNDB: JVNDB-2020-009714 // CNNVD: CNNVD-202011-301 // NVD: CVE-2020-27123 // NVD: CVE-2020-27123

PROBLEMTYPE DATA

problemtype:	CWE-749	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0

sources: NVD: CVE-2020-27123

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202011-301

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202011-301

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-009714

PATCH

title:	cisco-sa-anyconnect-file-read-LsvDD6Uh	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-file-read-LsvDD6Uh	Trust: 0.8
title:	Cisco AnyConnect Secure Mobility Client for Windows Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=132743	Trust: 0.6

sources: JVNDB: JVNDB-2020-009714 // CNNVD: CNNVD-202011-301

EXTERNAL IDS

db:	NVD	id:	CVE-2020-27123	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-009714	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.3822	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3822.4	Trust: 0.6
db:	CNNVD	id:	CNNVD-202011-301	Trust: 0.6
db:	CNVD	id:	CNVD-2020-63488	Trust: 0.1
db:	VULHUB	id:	VHN-370493	Trust: 0.1

sources: VULHUB: VHN-370493 // JVNDB: JVNDB-2020-009714 // CNNVD: CNNVD-202011-301 // NVD: CVE-2020-27123

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-anyconnect-file-read-lsvdd6uh	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27123	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-27123	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.3822/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-anyconnect-secure-mobility-client-for-windows-file-reading-33811	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3822.4/	Trust: 0.6

sources: VULHUB: VHN-370493 // JVNDB: JVNDB-2020-009714 // CNNVD: CNNVD-202011-301 // NVD: CVE-2020-27123

SOURCES

db:	VULHUB	id:	VHN-370493
db:	JVNDB	id:	JVNDB-2020-009714
db:	CNNVD	id:	CNNVD-202011-301
db:	NVD	id:	CVE-2020-27123

LAST UPDATE DATE

2024-11-23T22:37:12.608000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-370493	date:	2020-11-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-009714	date:	2020-12-02T03:30:22
db:	CNNVD	id:	CNNVD-202011-301	date:	2020-12-07T00:00:00
db:	NVD	id:	CVE-2020-27123	date:	2024-11-21T05:20:45.417

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-370493	date:	2020-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2020-009714	date:	2020-12-02T03:30:22
db:	CNNVD	id:	CNNVD-202011-301	date:	2020-11-04T00:00:00
db:	NVD	id:	CVE-2020-27123	date:	2020-11-06T19:15:13.580