CVE-2017-6638 : A vulnerability in how DLL files are loaded with Cisco AnyConnect Secure Mobilit

A vulnerability in how DLL files are loaded with Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and run an executable file with privileges equivalent to the Microsoft Windows SYSTEM account. The vulnerability is due to incomplete input validation of path and file names of a DLL file before it is loaded. An attacker could exploit this vulnerability by creating a malicious DLL file and installing it in a specific system directory. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account. The attacker would need valid user credentials to exploit this vulnerability. This vulnerability affects all Cisco AnyConnect Secure Mobility Client for Windows software versions prior to 4.4.02034. Cisco Bug IDs: CSCvc97928.

Published 2017-06-08 13:29:00

Updated 2019-10-03 00:03:26

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2017-6638

Cisco » Anyconnect Secure Mobility Client
Versions up to, including, (<=) 4.4.00243
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-6638

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 16 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-6638

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-6638

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-264

Assigned by: ykramarz@cisco.com (Secondary)

References for CVE-2017-6638

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-anyconnect

Cisco AnyConnect Local Privilege Escalation Vulnerability
Vendor Advisory
http://www.securitytracker.com/id/1038627

Cisco AnyConnect Secure Mobility Client DLL Loading Error Lets Local Users Obtain System Privileges - SecurityTracker
http://www.securityfocus.com/bid/98938

Cisco AnyConnect Secure Mobility Client CVE-2017-6638 Local Privilege Escalation Vulnerability
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2017-6638

Products affected by CVE-2017-6638

Exploit prediction scoring system (EPSS) score for CVE-2017-6638

CVSS scores for CVE-2017-6638

CWE ids for CVE-2017-6638

References for CVE-2017-6638