Cisco AnyConnect Secure Mobility Client for Linux and Mac OS X Privilege Escalation Vulnerability

A vulnerability in the code responsible for the self-updating feature of Cisco AnyConnect Secure Mobility Client for Linux and the Cisco AnyConnect Secure Mobility Client for Mac OS X could allow an authenticated, local attacker to execute an arbitrary executable file of its choosing with privileges equivalent to the Linux or Mac OS X root account.

The vulnerability is due to lack of checks in the code for the path and filename of the file being installed. An attacker could exploit this vulnerability by invoking this functionality with a crafted installation file. A successful exploit could allow the attacker to execute commands on the underlying Linux or Mac OS X host with privileges equivalent to the root account.

Cisco has confirmed the vulnerability and software updates are available.

To exploit this vulnerability, an attacker must authenticate and have local access to the targeted device. These access requirements decrease the likelihood of a successful exploit.

This vulnerability can be exploited only on systems running on Linux and Mac OS platforms. Systems on Microsoft Windows platforms are not affected by this vulnerability.

Cisco indicates through the CVSS score that functional code exists; however, the code is not known to be
publicly available.

This issue was reported to the Cisco PSIRT by Mr. Yorick Koster of Securify B.V. We would like to thank Mr. Koster and Securify B.V. for reporting this vulnerability to Cisco and working with us towards a coordinated disclosure.