Cisco AnyConnect Secure Mobility Client Arbitrary File Move Vulnerability

A vulnerability in interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker to move arbitrary files with elevated privileges.

The vulnerability is due to missing source path validation in certain IPC commands. An attacker could exploit this vulnerability by sending crafted IPC messages. An exploit could allow the attacker to move arbitrary files with elevated privileges, which could affect the integrity of the system and cause a denial of service condition.

Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151008-asmc[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151008-asmc”]