SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Cisco AnyConnect Secure Mobility Client Vendors:   Cisco
Cisco AnyConnect Secure Mobility Client Lets Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1033656
SecurityTracker URL:  http://securitytracker.com/id/1033656
CVE Reference:   CVE-2015-6306   (Links to External Site)
Date:  Sep 24 2015
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  
Version(s): 4.1(8)
Description:   A vulnerability was reported in Cisco AnyConnect Secure Mobility Client. A local user can obtain root privileges on the target system.

A local user can exploit a flaw in the self-updating feature in the validation of the path and filename of the file being installed to mount an arbitrary DMG file at an arbitrary mount point and execute arbitrary operating system commands on the target system with root privileges.

The vendor has assigned bug ID CSCuv11947 to this vulnerability.

The original advisory is available at:

https://www.securify.nl/advisory/SFY20150701/cisco_anyconnect_elevation_of_privileges_via_dmg_install_script.html

Mr. Yorick Koster of Securify B.V. reported this vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   No solution was available at the time of this entry.

The Cisco advisory is available at:

http://tools.cisco.com/security/center/viewAlert.x?alertId=41135

Vendor URL:  tools.cisco.com/security/center/viewAlert.x?alertId=41135 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC