Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities - Nessus

High Plugin ID: 139411

This page contains detailed information about the Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents

hide

Plugin Overview
Vulnerability Information

Synopsis
Description
Solution

Public Exploits
Risk Information
Plugin Source
How to Run
References
Version

Plugin Overview

ID: 139411
Name: Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities
Filename: cisco-sa-anyconnect-dos-dll.nasl
Vulnerability Published: 2020-08-05
This Plugin Published: 2020-08-07
Last Modification Time: 2022-02-14
Plugin Version: 1.10
Plugin Type: local
Plugin Family: Windows
Dependencies: cisco_anyconnect_vpn_installed.nasl
Required KB Items [?]: installed_sw/Cisco AnyConnect Secure Mobility Client, SMB/Registry/Enumerated

Vulnerability Information

Severity: High
Vulnerability Published: 2020-08-05
Patch Published: 2020-08-05
CVE [?]: CVE-2020-3433, CVE-2020-3434
CPE [?]: cpe:/a:cisco:anyconnect_secure_mobility_client

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco AnyConnect Secure Mobility Client is affected by multiple vulnerabilities.

- A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. (CVE-2020-3434)

- A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. (CVE-2020-3433)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvu22424, CSCvu14943

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities vulnerability:

Metasploit: exploit/windows/local/anyconnect_lpe
[Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)]
GitHub: https://github.com/r0eXpeR/supplier
[CVE-2020-3433]
GitHub: https://github.com/AlAIAL90/CVE-2020-3434
[CVE-2020-3434: PoC for exploiting CVE-2020-3434 : A vulnerability in the interprocess communication ...]
GitHub: https://github.com/goichot/CVE-2020-3433
[CVE-2020-3433: PoCs and technical analysis of three vulnerabilities found on Cisco AnyConnect for ...]
GitHub: https://github.com/goichot/CVE-2020-3433
[CVE-2020-3434: PoCs and technical analysis of three vulnerabilities found on Cisco AnyConnect for ...]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2020-3433
CVSS V2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSS Base Score:	7.2 (High)
Impact Subscore:	10.0
Exploitability Subscore:	3.9
CVSS Temporal Score:	6.0 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.0 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CVSS Base Score:	7.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.8
CVSS Temporal Score:	7.2 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.2 (High)

STIG Severity [?]: II
STIG Risk Rating: Medium

Go back to menu.

Plugin Source

#TRUSTED 3be3b4c8b857ff5af6bea1ebc90d81fb99120b26b938e20b13d87c950f1006577627c0c6a7d9537813164bbb81151b192964274f6a30a284c164b9ea599c9348321e652b1d5e083a7559cbe866e198c0b08e05c366a9f386994edd2792ec171159466b4e2ae2672be56aed0cf54900583cff58b499fd9d493175ffd64144202392968d20387991fb26daf1d68c988f2ac2e907e88d7c631cea641abbe7be0e9b22c7ba2cdf66376f52d746da778e5465b0c70f659987fdb8b37da216a2b6e5ee4e566273172891a197d87e0de5f08a3d717ae10adcc5fa75dfb3c4b6cafbebbbda09884c8f2066e427e649bf210bc093ce0d2a075b73dc7c69d1e1006c4c47b04de93f25cc10cb2b391e2546aceb0e9d44ff0b18965a60adac9791a5096d0ec5df96c966b2193b845004410b367780c02ebed046daa50a692b3c4582a700be914eedc6f96668914a095e791beebb80c0b135699b6df9d31d17dae70a100f572b0d7de88803df067c807c5146c3dd71b4ace2f2d6d2f3ab56bfe6aeb7bd50db17519fc044908971cfb54c71fc015b3e674fbc704fab0a59e2a4e08a9196b6abe520b1af6da86ec0d21f34ba882802aaa5ada30b94cd6ee48900fa949378e8cc470b1c894a757f524bfe0b3b8df8073053a1945cf617ab905953388f0fb18eb0bdd5fa29f5a9bd4a01ed2c44a097b9d8a34787c78be316c99d4ed26e93b501f00a
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(139411);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/14");

  script_cve_id("CVE-2020-3433", "CVE-2020-3434");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu22424");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu14943");
  script_xref(name:"CISCO-SA", value:"cisco-sa-anyconnect-dos-feXq4tAV");
  script_xref(name:"CISCO-SA", value:"cisco-sa-anyconnect-dll-F26WwJW");
  script_xref(name:"IAVA", value:"2020-A-0351-S");

  script_name(english:"Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco AnyConnect Secure Mobility Client is affected by multiple vulnerabilities.

  - A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client
    for Windows could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an
    affected device. To exploit this vulnerability, the attacker would need to have valid credentials on the
    Windows system. (CVE-2020-3434)

  - A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client
    for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this
    vulnerability, the attacker would need to have valid credentials on the Windows system. (CVE-2020-3433)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dos-feXq4tAV
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d3b436d3");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?88c8089d");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu14943");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu22424");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvu22424, CSCvu14943");
  script_set_attribute(attribute:"agent", value:"windows");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3433");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(20, 427);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/08/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/08/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/08/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:anyconnect_secure_mobility_client");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_anyconnect_vpn_installed.nasl");
  script_require_keys("installed_sw/Cisco AnyConnect Secure Mobility Client", "SMB/Registry/Enumerated");

  exit(0);
}

include('vcf.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

app_info = vcf::get_app_info(app:'Cisco AnyConnect Secure Mobility Client', win_local:TRUE);

constraints = [
  { 'max_version' : '4.9.00086', 'fixed_display' : 'Please see advisory' }
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);

The latest version of this script can be found in these locations depending on your platform:

Linux / Unix:
/opt/nessus/lib/nessus/plugins/cisco-sa-anyconnect-dos-dll.nasl
Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\cisco-sa-anyconnect-dos-dll.nasl
Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/cisco-sa-anyconnect-dos-dll.nasl

Go back to menu.

How to Run

Here is how to run the Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

Click to start a New Scan.
Select Advanced Scan.
Navigate to the Plugins tab.
On the top right corner click to Disable All plugins.
On the left side table select Windows plugin family.
On the right side table select Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities plugin ID 139411.
Specify the target on the Settings tab and click to Save the scan.
Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl cisco-sa-anyconnect-dos-dll.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a cisco-sa-anyconnect-dos-dll.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - cisco-sa-anyconnect-dos-dll.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state cisco-sa-anyconnect-dos-dll.nasl -t <IP/HOST>

Go back to menu.

References

IAVA | Information Assurance Vulnerability Alert:

2020-A-0351-S

Cisco Bug ID:

CSCvu14943, CSCvu22424

Cisco Security Advisory:

cisco-sa-anyconnect-dll-F26WwJW, cisco-sa-anyconnect-dos-feXq4tAV

CWE | Common Weakness Enumeration:

CWE-20 (Weakness) Improper Input Validation
CWE-427 (Weakness) Uncontrolled Search Path Element

See also:

Similar and related Nessus plugins:

76491 - Cisco AnyConnect Secure Mobility Client 2.x / 3.x < 3.1(5170) Multiple OpenSSL Vulnerabilities
78676 - Cisco AnyConnect Secure Mobility Client < 3.1(5187) (POODLE)
82270 - Cisco AnyConnect Secure Mobility Client < 3.1(7021) / <= 4.0(48) Multiple Vulnerabilities (FREAK)
86302 - Cisco AnyConnect Secure Mobility Client 3.x < 3.1.11004.0 / 4.x < 4.1.6020.0 Privilege Escalation
88100 - Cisco AnyConnect Secure Mobility Client < 3.1.13015.0 / 4.2.x < 4.2.1035.0 Multiple OpenSSL Vulnerabilities
95951 - Cisco AnyConnect Secure Mobility Client 3.1.x < 4.3.4019.0 / 4.4.x < 4.4.225.0 Privilege Escalation
97226 - Cisco AnyConnect Secure Mobility Client 4.0.x < 4.3.05017 / 4.4.x < 4.4.00243 SBL Module Privilege Escalation
54954 - Cisco AnyConnect Secure Mobility Client < 2.3.254 Multiple Vulnerabilities
76129 - Cisco Windows Jabber Client Multiple Vulnerabilities in OpenSSL (cisco-sa-20140605-openssl)
60107 - Cisco Linksys PlayerPT ActiveX Control SetSource() Multiple Overflows
129947 - Cisco TelePresence Management Suite Simple Object Access Protocol Vulnerability
134164 - Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability
146581 - Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability (cisco-sa-anyconnect-dll-hijac-JrcTOQMC)
144945 - Cisco AnyConnect Secure Mobility Client for Windows DLL Injection (cisco-sa-anyconnect-dll-injec-pQnryXLf)
150807 - Cisco AnyConnect Secure Mobility Client for Windows Denial of Service Vulnerability (cisco-sa-anyconnect-dos-hMhyDfb8)
139543 - Cisco AnyConnect Secure Mobility Client for Windows Profile Modification (cisco-sa-anyconnect-profile-7u3PERKF)
139575 - Cisco Webex Meetings User Email Address Information Disclosure (cisco-sa-webex-mAkmV4qc)
88593 - Cisco Security Manager 4.9.x < 4.9(0.397) / 4.10.x < 4.10(0.189) OpenSSL ASN.1 Signature Handling DoS
42960 - Cisco VPN Client on Windows Service Control Manager DoS
96907 - Cisco WebEx for Firefox RCE (cisco-sa-20170124-webex)
96908 - Cisco WebEx for Internet Explorer RCE (cisco-sa-20170124-webex)
96772 - Cisco WebEx Extension for Chrome RCE (cisco-sa-20170124-webex)
58482 - Cisco Linksys PlayerPT ActiveX SetSource() Method base64string Argument Parsing Remote Overflow

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file cisco-sa-anyconnect-dos-dll.nasl version 1.10. For more plugins, visit the Nessus Plugin Library.

Go back to menu.

Cisco AnyConnect Secure Mobility Client for Windows Multiple Vulnerablities - Nessus

Plugin Overview

Vulnerability Information

Synopsis

Description

Solution

Public Exploits

Risk Information

Plugin Source

How to Run

References

Version

Nessus Plugin Library

Solving Problems with Office 365 Email from GoDaddy

Empire Module Library

CrackMapExec Module Library

Metasploit Android Modules

Top 16 Active Directory Vulnerabilities

Top 10 Vulnerabilities: Internal Infrastructure Pentest

Terminal Escape Injection

Cisco Password Cracking and Decrypting Guide

Capture Passwords using Wireshark

SSH Brute Force Attack Tool using PuTTY / Plink (ssh-putty-brute.ps1)

SMB Brute Force Attack Tool in PowerShell (SMBLogin.ps1)

Port Scanner in PowerShell (TCP/UDP)

Nessus CSV Parser and Extractor

Default Password Scanner (default-http-login-hunter.sh)