===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2021.11.4.0800
Cisco AnyConnect Secure Mobility Client: Multiple vulnerabilities
4th November 2021
===========================================================================
Product: Cisco AnyConnect Secure Mobility Client
Publisher: Cisco Systems
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-40124
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-nam-priv-yCsRNUGT
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco AnyConnect Secure Mobility Client for Windows with Network Access Manager
Module Privilege Escalation Vulnerability
Priority: Medium
Advisory ID: cisco-sa-anyconnect-nam-priv-yCsRNUGT
First Published: 2021 November 3 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvz67203
CVE Names: CVE-2021-40124
CWEs: CWE-266
Summary
o A vulnerability in the Network Access Manager (NAM) module of Cisco
AnyConnect Secure Mobility Client for Windows could allow an authenticated,
local attacker to escalate privileges on an affected device.
This vulnerability is due to incorrect privilege assignment to scripts
executed before user logon. An attacker could exploit this vulnerability by
configuring a script to be executed before logon. A successful exploit
could allow the attacker to execute arbitrary code with SYSTEM privileges.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-nam-priv-yCsRNUGT
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco AnyConnect
Secure Mobility Client for Windows when it had the NAM module installed and
the following settings configured in the NAM profile:
Client Policy > Connection Settings > Before User Logon
Client Policy > End-user Control > Specify a script or application to
run when connected
For information about which Cisco software releases were vulnerable at the
time of publication, see the Fixed Software section of this advisory. See
the Details section in the bug ID(s) at the top of this advisory for the
most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
Cisco AnyConnect Secure Mobility Client Release First Fixed Release
Earlier than 4.10.03104 4.10.03104
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o Cisco would like to thank Jacob Griffith from Huntington National Bank for
reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-nam-priv-yCsRNUGT
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2021-NOV-03 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT