A vulnerability in the Easy VPN feature of Cisco ASA Software running on Cisco ASA 5505 hardware could allow an authenticated, local malicious user to elevate their privileges on the device running Cisco ASA Software. The vulnerability is due to a mishandling of privilege levels, which are temporarily manipulated by the vpnclient command. An attacker could exploit this vulnerability by executing the vpnclient command, if the privilege of this command is changed, so the local attacker can execute it. Cisco has confirmed the vulnerability in a security notice and software updates are available. To exploit this vulnerability, an attacker must authenticate and have local access to a targeted device. These access requirements decreases the likelihood of a successful exploit. Customers are advised to review the bug report in the vendor announcements section for a current list of affected versions. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
cisco adaptive_security_appliance_software - |
||
cisco 5500_series_adaptive_security_appliance |
||
cisco asa_5500 |
Vulmon