The outline of the C# code and the DLL source code are based on Google Project Zero PoC for CVE-2015-6305: link.The cstub.exe binary in this repository was extracted from An圜onnect Posture module version 4.Path to vpndownloader.exe may be different. I have not tested any Cisco An圜onnect 64-bit versions.
#Cisco anyconnect 4.6 windows 10
This exploit has been tested on Windows 7 and Windows 10 with the following Cisco An圜onnect versions (32-bit): The CVE-2020-3153.xml file can be found in the msbuild folder. MSBuild launcher for CVE-2020-3153Ī MSBuild launcher has been created from the C# program in case of Application Whitelisting or to change path to vpndownloader.exe without recompiling the C# code.Ĭ:\Windows\Microsoft.Net\Framework64\v9\MSBuild.exe c:\path\to\CVE-2020-3153.xml This VPN client has a feature called no split tunneling that forces all. Run CVE-2020-3153.exe (in the CVE-2020-3153/bin/Release folder) or use the "msbuild" version (in case of Application Whitelisting). lacking the support for IPv6: Cisco IPsec VPN client release 4.6 and earlier. In addition, I embedded dbghelp.dll in Base64 in the C# code to have a standalone exploit. However, this exploit uses vpndownloader.exe(also a Cisco signed binary that is affected by the same DLL hijacking vulnerability) instead of cstub.exe. Symptom: In later versions of An圜onnect 4.6, when FIPS is enabled we are unable to initiate an IPsec connection. This exploit uses the "hijack of a DLL loaded by a Cisco signed binary" attack scenario described in the original advisory and in SSD's post.
#Cisco anyconnect 4.6 upgrade
Solution Upgrade to Cisco An圜onnect Secure Mobility Client version 8 or later. It is, therefore, affected by a certificate bypass vulnerability. These cookies are necessary for the website to function and cannot be switched off in our systems. The version of Cisco An圜onnect Secure Mobility Client installed on the remote Windows host is prior to 8.
systems that An圜onnect can be installed on at the time of writing (An圜onnect 4.6). Cisco Anyconnect 4.6 Download Free Windows 10 Give any user highly secure access to the enterprise network, from any device, at any time, in any location. An attacker can exploit this vulnerability to gain system level privileges. Cisco Security Solutions for Network Access Control, Segmentation. The auto-update feature of Cisco An圜onnect is affected by a path traversal vulnerability. Cisco An圜onnect < 2 privilege escalation through path traversal Description