CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
98.5%
The remote host has a version of Cisco AnyConnect 2.x or 3.x prior to 3.1(629). As such, when the VPNAPI COM module calls the ATL framework, certain input data are not properly validated and could allow a buffer overflow. This error could lead to arbitrary code execution.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(71464);
script_version("1.5");
script_cvs_date("Date: 2019/11/27");
script_cve_id("CVE-2013-5559");
script_bugtraq_id(63491);
script_xref(name:"CISCO-BUG-ID", value:"CSCuj58139");
script_name(english:"Cisco AnyConnect Secure Mobility Client 2.x / 3.x < 3.0(629) ATL Buffer Overflow");
script_summary(english:"Checks version of Cisco AnyConnect Client");
script_set_attribute(attribute:"synopsis", value:
"The remote host has software installed that is affected by a buffer
overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host has a version of Cisco AnyConnect 2.x or 3.x prior to
3.1(629). As such, when the VPNAPI COM module calls the ATL framework,
certain input data are not properly validated and could allow a buffer
overflow. This error could lead to arbitrary code execution.");
script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCuj58139");
# https://tools.cisco.com/security/center/viewAlert.x?alertId=31606
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6ff8e198");
script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=31606");
# http://blogs.ixiacom.com/ixia-blog/newly-discovered-vulnerability-in-cisco-anyconnect/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?577a8ca4");
script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco AnyConnect Secure Mobility Client 3.0(629) or
later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5559");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/01");
script_set_attribute(attribute:"patch_publication_date", value:"2013/11/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:anyconnect_secure_mobility_client");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_anyconnect_vpn_installed.nasl");
script_require_keys("SMB/cisco_anyconnect/Installed");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
appname = 'Cisco AnyConnect Mobility VPN Client';
kb_base = 'SMB/cisco_anyconnect/';
report = '';
num_installed = get_kb_item_or_exit(kb_base + 'NumInstalled');
for (install_num = 0; install_num < num_installed; install_num++)
{
path = get_kb_item_or_exit(kb_base + install_num + '/path');
ver = get_kb_item_or_exit(kb_base + install_num + '/version');
fix = '3.0.629.0';
fix_display = fix + ' (3.0(629))';
if ((ver =~ "^2\." || ver =~ "^3\.0\.") && ver_compare(ver:ver, fix:fix) == -1)
{
report +=
'\n Path : ' + path +
'\n Installed version : ' + ver +
'\n Fixed version : ' + fix_display + '\n';
}
}
if (report != '')
{
port = get_kb_item("SMB/transport");
if (!port) port = 445;
if (report_verbosity > 0) security_warning(port:port, extra:report);
else security_warning(port);
exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, appname);