Cisco Security Advisory
MacOS Local Privilege Escalation Exploitable through Cisco AnyConnect Secure Mobility Client
-
On May 26, 2020, Apple released a security update for MacOS Catalina, Mojave, and High Sierra. Part of this update addressed a local privilege escalation vulnerability (CVE-2020-9817).
Cisco has determined that Cisco AnyConnect Secure Mobility Client releases 4.10.00093 and earlier could be used to exploit this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-mac-priv-esc-VqST2nrT
-
The MacOS Installer process extracts the contents of an application package to a temporary folder before execution. Instead of assigning ownership of these files to the root user, the original UID from the developer’s system is maintained. A local attacker with the same UID as the extracted files could modify them to execute code on the underlying operating system with root privileges.
Additional information about this vulnerability is available at the following links:
- About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra
- Technical Advisory - macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
Cisco is tracking this issue in Cisco bug ID CSCvw22016.
-
Cisco customers are advised to apply the Apple security update on all affected operating systems where Cisco applications or products are running.
Cisco will update Cisco AnyConnect Secure Mobility Client in the next release to address this MacOS Installer vulnerability.
-
Cisco would like to thank the Lockheed Martin Red Team for reporting this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.1 Added reference to Cisco bug ID. Details Final 2021-MAY-11 1.0 Initial public release. - Final 2021-MAY-05
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.