CVE-2015-6305

Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 UNKNOWN
LOCAL
LOW
AV:L/AC:L/Au:N/C:C/I:C/A:C
ciscoCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
VendorProductVersion
ciscoanyconnect_secure_mobility_client
2.0.0343
ciscoanyconnect_secure_mobility_client
2.1.0.148
ciscoanyconnect_secure_mobility_client
2.2.0133
ciscoanyconnect_secure_mobility_client
2.2.0136
ciscoanyconnect_secure_mobility_client
2.2.0140
ciscoanyconnect_secure_mobility_client
2.3.0185
ciscoanyconnect_secure_mobility_client
2.3.0254
ciscoanyconnect_secure_mobility_client
2.3.1003
ciscoanyconnect_secure_mobility_client
2.3.2016
ciscoanyconnect_secure_mobility_client
2.4.0202
ciscoanyconnect_secure_mobility_client
2.4.1012
ciscoanyconnect_secure_mobility_client
2.5.0217
ciscoanyconnect_secure_mobility_client
2.5.2006
ciscoanyconnect_secure_mobility_client
2.5.2010
ciscoanyconnect_secure_mobility_client
2.5.2011
ciscoanyconnect_secure_mobility_client
2.5.2014
ciscoanyconnect_secure_mobility_client
2.5.2017
ciscoanyconnect_secure_mobility_client
2.5.2018
ciscoanyconnect_secure_mobility_client
2.5.2019
ciscoanyconnect_secure_mobility_client
2.5.3041
ciscoanyconnect_secure_mobility_client
2.5.3046
ciscoanyconnect_secure_mobility_client
2.5.3051
ciscoanyconnect_secure_mobility_client
2.5.3054
ciscoanyconnect_secure_mobility_client
2.5.3055
ciscoanyconnect_secure_mobility_client
2.5_base:_base
ciscoanyconnect_secure_mobility_client
3.0.0
ciscoanyconnect_secure_mobility_client
3.0.0629
ciscoanyconnect_secure_mobility_client
3.0.1047
ciscoanyconnect_secure_mobility_client
3.0.2052
ciscoanyconnect_secure_mobility_client
3.0.3050
ciscoanyconnect_secure_mobility_client
3.0.3054
ciscoanyconnect_secure_mobility_client
3.0.4235
ciscoanyconnect_secure_mobility_client
3.0.5075
ciscoanyconnect_secure_mobility_client
3.0.5080
ciscoanyconnect_secure_mobility_client
3.0.09231
ciscoanyconnect_secure_mobility_client
3.0.09266
ciscoanyconnect_secure_mobility_client
3.0.09353
ciscoanyconnect_secure_mobility_client
3.1\(60\)
ciscoanyconnect_secure_mobility_client
3.1.0
ciscoanyconnect_secure_mobility_client
3.1.02043
ciscoanyconnect_secure_mobility_client
3.1.05182
ciscoanyconnect_secure_mobility_client
3.1.05187
ciscoanyconnect_secure_mobility_client
3.1.06073
ciscoanyconnect_secure_mobility_client
3.1.07021
ciscoanyconnect_secure_mobility_client
4.0\(48\)
ciscoanyconnect_secure_mobility_client
4.0\(64\)
ciscoanyconnect_secure_mobility_client
4.0\(2049\)
ciscoanyconnect_secure_mobility_client
4.0.0
ciscoanyconnect_secure_mobility_client
4.0.00048
ciscoanyconnect_secure_mobility_client
4.0.00051
ciscoanyconnect_secure_mobility_client
4.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/133876/Cisco-AnyConnect-Secure-Mobility-Client-3.1.08009-Privilege-Elevation.html
http://seclists.org/fulldisclosure/2015/Sep/80
http://tools.cisco.com/security/center/viewAlert.x?alertId=41136
http://www.securitytracker.com/id/1033643
https://code.google.com/p/google-security-research/issues/detail?id=460
https://www.exploit-db.com/exploits/38289/
http://packetstormsecurity.com/files/133876/Cisco-AnyConnect-Secure-Mobility-Client-3.1.08009-Privilege-Elevation.html
http://seclists.org/fulldisclosure/2015/Sep/80
http://tools.cisco.com/security/center/viewAlert.x?alertId=41136
http://www.securitytracker.com/id/1033643
https://code.google.com/p/google-security-research/issues/detail?id=460
https://www.exploit-db.com/exploits/38289/