The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of AnyConnect VPN Client

vulnerability announce CVE-2015-7600

Cisco AnyConnect VPN Client: privilege escalation via vpnclient.ini

Synthesis of the vulnerability

A local attacker can alter the vpnclient.ini file of Cisco AnyConnect VPN Client, in order to escalate his privileges.
Impacted products: AnyConnect VPN Client.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 07/10/2015.
Identifiers: CVE-2015-7600, VIGILANCE-VUL-18052.

Description of the vulnerability

The Cisco AnyConnect VPN Client product uses the vpnclient.ini configuration file.

This file can contain a "Command=" option indicating a command to run on start. However, a local attacker can alter this command, and wait for another user to run the VPN client.

A local attacker can therefore alter the vpnclient.ini file of Cisco AnyConnect VPN Client, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-6305

Cisco AnyConnect Secure Mobility Client: privilege escalation via DLL

Synthesis of the vulnerability

An attacker can make Cisco AnyConnect Secure Mobility Client loads and run arbitrary DLL, in order to escalate his privileges.
Impacted products: Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 23/09/2015.
Identifiers: 41136, CSCuv01279, CVE-2015-6305, VIGILANCE-VUL-17958.

Description of the vulnerability

The Cisco AnyConnect Secure Mobility Client is used to create tunnels for virtual private networks.

It may load and run DLL with system privileges for various internal needs. However, MS-Windows looks for DLL in many places by default, and the product does not restrict this set of locations. An attacker can plant a DLL in one of the writable directory that Windows looks in for to make it run.

An attacker can therefore make Cisco AnyConnect Secure Mobility Client loads and run arbitrary DLL, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-4289

Cisco AnyConnect Secure Mobility Client: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Cisco AnyConnect Secure Mobility Client, in order to write a file outside the service root path.
Impacted products: Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 31/07/2015.
Identifiers: 40175, CSCut93920, CVE-2015-4289, VIGILANCE-VUL-17550.

Description of the vulnerability

The Cisco AnyConnect Secure Mobility Client product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories of Cisco AnyConnect Secure Mobility Client, in order to write a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-4290

Cisco AnyConnect Secure Mobility Client: denial of service via Mac OS X

Synthesis of the vulnerability

A local attacker can stop the Mac OS X kernel via Cisco AnyConnect Secure Mobility Client, in order to trigger a denial of service.
Impacted products: Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 30/07/2015.
Identifiers: 40176, CSCut12255, CVE-2015-4290, VIGILANCE-VUL-17538.

Description of the vulnerability

The Cisco AnyConnect Secure Mobility Client product can be installed on Mac OS X.

However, a local attacker can manipulate the memory, to trigger a fatal error in the Mac OS X kernel.

A local attacker can therefore stop the Mac OS X kernel via Cisco AnyConnect Secure Mobility Client, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-4211

Cisco AnyConnect VPN Client for Windows: privilege escalation via program install

Synthesis of the vulnerability

An attacker can create an INF file for Cisco AnyConnect VPN Client for Windows, in order to make it run any program with the privileges of the SYSTEM account.
Impacted products: AnyConnect VPN Client.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 24/06/2015.
Identifiers: 39466, CVE-2015-4211, VIGILANCE-VUL-17218.

Description of the vulnerability

The Cisco AnyConnect VPN Client for Windows product can install programs.

To describe what is to be done, it uses the INF file format inherited from Windows 3. However, it does not check the path of programs to be run specified in the INF file. So, an attacker can choose which program will be run.

An attacker can therefore create an INF file for Cisco AnyConnect VPN Client for Windows, in order to make it run any program with the privileges of the SYSTEM account.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-8176

OpenSSL: use after free via DTLS

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, HP Switch, AIX, IRAD, McAfee Email and Web Security, McAfee Email Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, OpenSSL, openSUSE, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, stunnel, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 12/06/2015.
Identifiers: 1961569, 9010038, 9010039, BSA-2015-006, c05184351, CERTFR-2015-AVI-257, cisco-sa-20150612-openssl, CVE-2014-8176, DSA-3287-1, HPSBHF03613, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1277-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA98, SB10122, SOL16920, USN-2639-1, VIGILANCE-VUL-17118.

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

However, if data are received between the ChangeCipherSpec and Finished messages, OpenSSL frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-1788 CVE-2015-1789 CVE-2015-1790

OpenSSL: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, DB2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/06/2015.
Identifiers: 1450666, 1610582, 1647054, 1961111, 1961569, 1964113, 1964766, 1966038, 1970103, 1972125, 9010038, 9010039, BSA-2015-006, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-257, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2017, CTX216642, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, RHSA-2015:1197-01, SA40002, SA98, SB10122, SOL16898, SOL16913, SOL16915, SOL16938, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TNS-2015-07, TSB16728, USN-2639-1, VIGILANCE-VUL-17117.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can generate an infinite loop via ECParameters, in order to trigger a denial of service. [severity:2/4; CVE-2015-1788]

An attacker can force a read at an invalid address in X509_cmp_time(), in order to trigger a denial of service. [severity:2/4; CVE-2015-1789]

An attacker can force a NULL pointer to be dereferenced via EnvelopedContent, in order to trigger a denial of service. [severity:2/4; CVE-2015-1790]

An attacker can generate an infinite loop via CMS signedData, in order to trigger a denial of service. [severity:2/4; CVE-2015-1792]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-1791

OpenSSL: use after free via NewSessionTicket

Synthesis of the vulnerability

An attacker, who own a malicious TLS server, can send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet client.
Creation date: 04/06/2015.
Identifiers: 1961569, 1964113, 1970103, 2003480, 2003620, 2003673, 9010038, 9010039, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-1791, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA40002, SA98, SB10122, SOL16914, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1182-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TSB16728, USN-2639-1, VIGILANCE-VUL-17062.

Description of the vulnerability

The TLS protocol uses the NewSessionTicket message to obtain a new session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c file implements NewSessionTicket in an OpenSSL client. However, if the client is multi-threaded, this function frees a memory area before reusing it.

An attacker, who own a malicious TLS server, can therefore send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-0761

Cisco AnyConnect: privilege escalation via vpnagent

Synthesis of the vulnerability

An attacker can run vpnagent of Cisco AnyConnect with a crafted command line, in order to escalate his privileges.
Impacted products: Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 03/06/2015.
Identifiers: 39158, CSCus86790, CVE-2015-0761, VIGILANCE-VUL-17046.

Description of the vulnerability

The Cisco AnyConnect Secure Mobility Client for Linux include a program named vpnagent.

However, this program does not rightly checks the options in its command line before running command with root privileges.

An attacker can therefore run vpnagent of Cisco AnyConnect with a crafted command line, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-0755

Cisco AnyConnect Secure Mobility Client: privilege escalation via Identity Services Engine

Synthesis of the vulnerability

An attacker can use Identity Services Engine of Cisco AnyConnect Secure Mobility Client, in order to escalate his privileges.
Impacted products: Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 01/06/2015.
Identifiers: 39018, CSCut05797, CVE-2015-0755, VIGILANCE-VUL-17024.

Description of the vulnerability

The Cisco AnyConnect Secure Mobility Client product uses Cisco Identity Services Engine (ISE).

However, a local attacker can bypass access restrictions of ISE to execute privileged commands.

An attacker can therefore use Identity Services Engine of Cisco AnyConnect Secure Mobility Client, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.