CVE-2020-3153
Vulnerability from cvelistv5
Published
2020-02-19 19:15
Modified
2024-11-08 16:12
Summary
A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.
References
ykramarz@cisco.comhttp://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
ykramarz@cisco.comhttp://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
ykramarz@cisco.comhttp://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
ykramarz@cisco.comhttp://seclists.org/fulldisclosure/2020/Apr/43Exploit, Mailing List, Third Party Advisory
ykramarz@cisco.comhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsjVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2020/Apr/43Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsjVendor Advisory
Impacted products
Vendor Product Version
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog

Date added: 2022-10-24

Due date: 2022-11-14

Required action: Apply updates per vendor instructions.

Used in ransomware: Known

Notes: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj; https://nvd.nist.gov/vuln/detail/CVE-2020-3153

Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:24:00.700Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20200219 Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj"
          },
          {
            "name": "20200421 Cisco AnyConnect elevation of privileges due to insecure handling of path names",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2020/Apr/43"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3153",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-08T16:11:49.145209Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-10-24",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2020-3153"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-08T16:12:04.675Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco AnyConnect Secure Mobility Client",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "n/a",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-02-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-30T18:06:16",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20200219 Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj"
        },
        {
          "name": "20200421 Cisco AnyConnect elevation of privileges due to insecure handling of path names",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2020/Apr/43"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html"
        }
      ],
      "source": {
        "advisory": "cisco-sa-ac-win-path-traverse-qO4HWBsj",
        "defect": [
          [
            "CSCvs46327"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-02-19T16:00:00-0800",
          "ID": "CVE-2020-3153",
          "STATE": "PUBLIC",
          "TITLE": "Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco AnyConnect Secure Mobility Client",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "6.5",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-427"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20200219 Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj"
            },
            {
              "name": "20200421 Cisco AnyConnect elevation of privileges due to insecure handling of path names",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2020/Apr/43"
            },
            {
              "name": "http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-ac-win-path-traverse-qO4HWBsj",
          "defect": [
            [
              "CSCvs46327"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3153",
    "datePublished": "2020-02-19T19:15:53.412807Z",
    "dateReserved": "2019-12-12T00:00:00",
    "dateUpdated": "2024-11-08T16:12:04.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2020-3153",
      "cwes": "[\"CWE-427\"]",
      "dateAdded": "2022-10-24",
      "dueDate": "2022-11-14",
      "knownRansomwareCampaignUse": "Known",
      "notes": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj; https://nvd.nist.gov/vuln/detail/CVE-2020-3153",
      "product": "AnyConnect Secure",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Cisco AnyConnect Secure Mobility Client for Windows allows for incorrect handling of directory paths. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks.",
      "vendorProject": "Cisco",
      "vulnerabilityName": "Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-3153\",\"sourceIdentifier\":\"ykramarz@cisco.com\",\"published\":\"2020-02-19T20:15:15.113\",\"lastModified\":\"2024-11-21T05:30:26.193\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el componente installer de Cisco AnyConnect Secure Mobility Client para Windows, podr\u00eda permitir a un atacante local autenticado copiar archivos suministrados por el usuario hacia directorios de nivel de sistema con privilegios de nivel system. La vulnerabilidad es debido al manejo incorrecto de las rutas de directorio. Un atacante podr\u00eda explotar esta vulnerabilidad mediante la creaci\u00f3n de un archivo malicioso y al copiar el archivo en un directorio del sistema. Una explotaci\u00f3n podr\u00eda permitir al atacante copiar archivos maliciosos en ubicaciones arbitrarias con privilegios de nivel system. Esto podr\u00eda incluir la precarga de DLL, el secuestro de DLL y otros ataques relacionados. Para explotar esta vulnerabilidad, el atacante necesita credenciales v\u00e1lidas sobre el sistema Windows.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.0,\"impactScore\":4.0}],\"cvssMetricV30\":[{\"source\":\"ykramarz@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.0,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:N/I:C/A:N\",\"baseScore\":4.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-10-24\",\"cisaActionDue\":\"2022-11-14\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability\",\"weaknesses\":[{\"source\":\"ykramarz@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-427\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-427\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:windows:*:*\",\"versionEndExcluding\":\"4.8.02042\",\"matchCriteriaId\":\"4A0666B9-0A5B-4DBE-8779-E1638AF985E9\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Apr/43\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Apr/43\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.