Vulnerability CVE-2019-16007


Published: 2020-09-23

Description:
A vulnerability in the inter-service communication of Cisco AnyConnect Secure Mobility Client for Android could allow an unauthenticated, local attacker to perform a service hijack attack on an affected device or cause a denial of service (DoS) condition. The vulnerability is due to the use of implicit service invocations. An attacker could exploit this vulnerability by persuading a user to install a malicious application. A successful exploit could allow the attacker to access confidential user information or cause a DoS condition on the AnyConnect application.

Type:

CWE-345

(Insufficient Verification of Data Authenticity)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
Partial
Affected software
Cisco -> Anyconnect secure mobility client 

 References:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-anyconnect-hijack

Copyright 2021, cxsecurity.com

 

Back to Top