CVE-2023-20178 - OpenCVE

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established. This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cisco	Anyconnect Secure Mobility Client Secure Client

Configuration 1 [-]

OR	cpe:2.3:a:cisco:anyconnect_secure_mobility_client::::::windows::*
	cpe:2.3:a:cisco:secure_client::::::windows::*

No data.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

History

No history.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2023-06-28T00:00:00

Updated: 2024-08-02T09:05:34.960Z

Reserved: 2022-10-27T00:00:00

Link: CVE-2023-20178

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-06-28T15:15:09.880

Modified: 2024-01-25T17:15:32.647

Link: CVE-2023-20178

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-20178", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "dateUpdated": "2024-08-02T09:05:34.960Z", "dateReserved": "2022-10-27T00:00:00", "datePublished": "2023-06-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-01-25T16:57:50.608Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.\r\n\r This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges."}], "affected": [{"vendor": "Cisco", "product": "Cisco Secure Client", "versions": [{"version": "4.9.00086", "status": "affected"}, {"version": "4.9.01095", "status": "affected"}, {"version": "4.9.02028", "status": "affected"}, {"version": "4.9.03047", "status": "affected"}, {"version": "4.9.03049", "status": "affected"}, {"version": "4.9.04043", "status": "affected"}, {"version": "4.9.04053", "status": "affected"}, {"version": "4.9.05042", "status": "affected"}, {"version": "4.9.06037", "status": "affected"}, {"version": "4.10.00093", "status": "affected"}, {"version": "4.10.01075", "status": "affected"}, {"version": "4.10.02086", "status": "affected"}, {"version": "4.10.03104", "status": "affected"}, {"version": "4.10.04065", "status": "affected"}, {"version": "4.10.04071", "status": "affected"}, {"version": "4.10.05085", "status": "affected"}, {"version": "4.10.05095", "status": "affected"}, {"version": "4.10.05111", "status": "affected"}, {"version": "4.10.06079", "status": "affected"}, {"version": "4.10.06090", "status": "affected"}, {"version": "5.0.00238", "status": "affected"}, {"version": "5.0.00529", "status": "affected"}, {"version": "5.0.00556", "status": "affected"}, {"version": "5.0.01242", "status": "affected"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect Default Permissions", "type": "cwe", "cweId": "CWE-276"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw", "name": "cisco-sa-ac-csc-privesc-wx4U4Kw"}], "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory."}], "source": {"advisory": "cisco-sa-ac-csc-privesc-wx4U4Kw", "discovery": "EXTERNAL", "defects": ["CSCwe00252"]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:05:34.960Z"}, "title": "CVE Program Container", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw", "name": "cisco-sa-ac-csc-privesc-wx4U4Kw", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:windows:*:*", "matchCriteriaId": "9980A481-8A54-475A-B735-0C339FF30314", "versionEndExcluding": "4.10.07061", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_client:*:*:*:*:*:windows:*:*", "matchCriteriaId": "7A856448-9BF4-4693-A1EA-3B6C06DB4259", "versionEndExcluding": "5.0.02075", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.\r\n\r This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges."}], "id": "CVE-2023-20178", "lastModified": "2024-01-25T17:15:32.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2023-06-28T15:15:09.880", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}