Lucene search
This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO_ANYCONNECT_4_1_4011.NASLHistoryAug 19, 2015 - 12:00 a.m.
Cisco AnyConnect Secure Mobility Client 3.x < 3.1.10010.0 / 4.x < 4.1.4011.0 Arbitrary File Write
2015-08-1900:00:00
This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
26
CVSS2
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
EPSS
0.001
Percentile
41.5%
The Cisco AnyConnect Secure Mobility Client installed on the remote host is version 3.x prior to 3.1.10010.0 or 4.x prior to 4.1.4011.0.
It is, therefore, affected by a flaw due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue, by convincing a user to connect to a malicious head-end system, to traverse outside a restricted path and thus write or overwrite arbitrary files in the active user’s context.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(85541);
script_version("1.5");
script_cvs_date("Date: 2019/11/22");
script_cve_id("CVE-2015-4289");
script_bugtraq_id(76125);
script_xref(name:"CISCO-BUG-ID", value:"CSCut93920");
script_name(english:"Cisco AnyConnect Secure Mobility Client 3.x < 3.1.10010.0 / 4.x < 4.1.4011.0 Arbitrary File Write");
script_summary(english:"Checks the version of the Cisco AnyConnect client.");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an arbitrary file write vulnerability.");
script_set_attribute(attribute:"description", value:
"The Cisco AnyConnect Secure Mobility Client installed on the remote
host is version 3.x prior to 3.1.10010.0 or 4.x prior to 4.1.4011.0.
It is, therefore, affected by a flaw due to improper sanitization of
user-supplied input. An unauthenticated, remote attacker can exploit
this issue, by convincing a user to connect to a malicious head-end
system, to traverse outside a restricted path and thus write or
overwrite arbitrary files in the active user's context.");
script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=40175");
script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco AnyConnect Secure Mobility Client version
3.1.10010.0 / 4.1.4011.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4289");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/30");
script_set_attribute(attribute:"patch_publication_date", value:"2015/07/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:anyconnect_secure_mobility_client");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_anyconnect_vpn_installed.nasl");
script_require_keys("installed_sw/Cisco AnyConnect Secure Mobility Client", "SMB/Registry/Enumerated");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
app_name = "Cisco AnyConnect Secure Mobility Client";
install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
path = install['path'];
ver = install['version'];
if (ver =~ "^4\." && (ver_compare(ver:ver, fix:'4.1.4011.0', strict:FALSE) < 0))
fix = '4.1.4011.0';
else if (ver =~ "^3\." && ver_compare(ver:ver, fix:'3.1.10010.0', strict:FALSE) < 0)
fix = '3.1.10010.0';
else
fix = NULL;
if (!isnull(fix))
{
port = get_kb_item('SMB/transport');
if (!port) port = 445;
if (report_verbosity > 0)
{
report +=
'\n Path : ' + path +
'\n Installed version : ' + ver +
'\n Fixed version : ' + fix +
'\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app_name, ver, path);
Related
cvelist
cvelist
CVE-2015-4289
2015-08-01 01:00:00
nvd
nvd
CVE-2015-4289
2015-08-01 01:59:14
cisco
cisco
Cisco AnyConnect Secure Mobilty Client Directory Traversal Vulnerability
2015-07-30 20:36:27
cve
cve
CVE-2015-4289
2015-08-01 01:59:14
prion
prion
Directory traversal
2015-08-01 01:59:00
nessus
nessus
CVSS2
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
EPSS
0.001
Percentile
41.5%
Related for CISCO_ANYCONNECT_4_1_4011.NASL