Vulnerability CVE-2019-16007

Vulnerability CVE-2019-16007

Published: 2020-09-23

Description:

A vulnerability in the inter-service communication of Cisco AnyConnect Secure Mobility Client for Android could allow an unauthenticated, local attacker to perform a service hijack attack on an affected device or cause a denial of service (DoS) condition. The vulnerability is due to the use of implicit service invocations. An attacker could exploit this vulnerability by persuading a user to install a malicious application. A successful exploit could allow the attacker to access confidential user information or cause a DoS condition on the AnyConnect application.

Type:

CWE-345

(Insufficient Verification of Data Authenticity)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
5.8/10	4.9/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	None	Partial

Affected software
Cisco -> Anyconnect secure mobility client

References:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-anyconnect-hijack

Copyright 2024, cxsecurity.com