CVE-2021-1427:Cisco AnyConnect Secure Mobility Client for Windows contains DLL and executable hijacking vulnerabilities that could allow authenticated local attackers to execute arbitrary code with SYSTEM privileges.

splash
Back

Description Preview

Multiple vulnerabilities exist in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows. These vulnerabilities (CWE-427: Uncontrolled Search Path Element) could allow an authenticated local attacker with valid Windows credentials to hijack DLL or executable files used by the application. By exploiting these vulnerabilities, attackers could execute arbitrary code with SYSTEM privileges on affected Windows systems.

Overview

The vulnerabilities affect the Cisco AnyConnect Secure Mobility Client for Windows during installation, uninstallation, and upgrade processes. The root cause is improper validation of DLL and executable files that are loaded by the application. An attacker with local access and valid credentials to the Windows system could place malicious DLL or executable files in locations where the AnyConnect client searches for these files, leading to code execution with elevated SYSTEM privileges when the application processes are triggered. This represents a significant privilege escalation risk as the attacker could gain complete control over the affected system.

Remediation

  1. Update Cisco AnyConnect Secure Mobility Client to the latest version as recommended in the Cisco Security Advisory.
  2. Implement the principle of least privilege by restricting local user permissions on Windows systems.
  3. Monitor for suspicious file creation activities in directories used by the AnyConnect client.
  4. Ensure only authorized users have access to Windows systems running the AnyConnect client.
  5. Follow Cisco's security best practices for AnyConnect deployment and management.
  6. Consider implementing application control solutions to prevent unauthorized executables from running.

References

  1. Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-code-exec-jR3tWTA6
  2. Common Weakness Enumeration (CWE-427): https://cwe.mitre.org/data/definitions/427.html
  3. MITRE ATT&CK: DLL Search Order Hijacking (T1574.001)
  4. Cisco AnyConnect Secure Mobility Client Documentation: https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-installation-and-configuration-guides-list.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Educational Services
    Educational Services
  5. Transportation & Warehousing
    Transportation & Warehousing
  6. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  7. Utilities
    Utilities
  8. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  9. Finance and Insurance
    Finance and Insurance
  10. Other Services (except Public Administration)
    Other Services (except Public Administration)
  11. Retail Trade
    Retail Trade
  12. Management of Companies & Enterprises
    Management of Companies & Enterprises
  13. Accommodation & Food Services
    Accommodation & Food Services
  14. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  15. Construction
    Construction
  16. Information
    Information
  17. Mining
    Mining
  18. Wholesale Trade
    Wholesale Trade
  19. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database