CVE-2021-1567 : A vulnerability in the DLL loading mechanism of Cisco AnyConnect Secure Mobility

A vulnerability in the DLL loading mechanism of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. This vulnerability is due to a race condition in the signature verification process for DLL files that are loaded on an affected device. An attacker could exploit this vulnerability by sending a series of crafted interprocess communication (IPC) messages to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.

Published 2021-06-16 18:15:09

Updated 2022-08-05 15:17:41

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2021-1567

Cisco » Anyconnect Secure Mobility Client » For Windows
Versions before (<) 4.10.01075
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:windows:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-1567

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 9 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-1567

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.2	MEDIUM	AV:L/AC:H/Au:N/C:C/I:C/A:C	1.9	10.0	NIST
Access Vector: Local Access Complexity: High Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.0	HIGH	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	Cisco Systems, Inc.
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.7	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H	0.8	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-1567

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

Assigned by: ykramarz@cisco.com (Secondary)
CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-1567

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-pos-dll-ff8j6dFv

Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2021-1567

Products affected by CVE-2021-1567

Exploit prediction scoring system (EPSS) score for CVE-2021-1567

CVSS scores for CVE-2021-1567

CWE ids for CVE-2021-1567

References for CVE-2021-1567