A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient file permission restrictions.
- AnyConnect Secure Mobility Client for Linux AnyConnect Secure Mobility Client is the offical Cisco VPN Client. If you have not previously installed the Cisco AnyConnect client, you can authenticate to any of the VPN’s through a web-browser which will attempt to auto-install AnyConnect.
- Nov 12, 2014 See the Enabling FIPS and Additional Security in the Local Policy section of the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for more details. 15 Helpful Reply.
Windows Vista/7/8/8.1/10 (32 or 64 bit) Anyconnect Client Installation
- Browse to NS VPN Client Download Page
- Start the 'anyconnect-win' installer downloaded in step 2.
- At each prompt, click 'Next.' You may see a 'User Account Control' dialog box asking if you would like to install the program. Click 'Yes.'
- Once the install is complete, click 'Finish.'
- Start the 'anyconnect-win-gina' installer downloaded in step 2.
- At each prompt, click 'Next.' You may see a 'User Account Control' dialog box asking if you would like to install the program. Click 'Yes.'
- Once the install is complete, click 'Finish.'
- The machine will now ask to reboot. Click yes to reboot.
- Launch the client by going to Start->All Programs->Cisco->Cisco Anyconnect Secure Mobility Client
- In the field to the left of the 'Connect' button, click on the text area and type 'vpn.ufl.edu'. Click connect.
- Authenticate with your gatorlink ID (in the form of username@ufl.edu) and your gatorlink password. Click OK.
- The most recent version of the client and vpn configuration files will be automatically downloaded. This may require another reboot to complete the update.
- Your client is now ready for use.
Notes:
- Once the Anyconnect is installed on your machine, it will always be automatically upgraded to the latest version as they are published by Network Services. You shouldn't need to go through the manual installation process unless you reinstall your operating system, or your client becomes corrupted and needs to be uninstalled and reinstalled.
- After connecting for the first time, the VPN policy will be pushed to your client. The pulldown will say 'Gatorlink VPN' rather than vpn.ufl.edu after this policy is downloaded.
Current Description
A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the local CLI to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying OS of the affected device. The attacker would need to have valid user credentials to exploit this vulnerability.
Analysis Description
A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the local CLI to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying OS of the affected device. The attacker would need to have valid user credentials to exploit this vulnerability.
Severity
CVSS 3.x Severity and Metrics:Anyconnect Download
Weakness Enumeration
Cisco Anyconnect Secure Mobility Client For Linux 64-bit
CWE-ID | CWE Name | Source |
---|---|---|
CWE-269 | Improper Privilege Management | NIST |
CWE-264 | Permissions, Privileges, and Access Controls | Cisco Systems, Inc. |
Anyconnect Secure Mobility Client Linux Download
Known Affected Software Configurations Switch to CPE 2.2
Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.