Privilege escalation in Cisco Umbrella Enterprise Roaming Client

Published: 2018-09-06

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2018-0437 CVE-2018-0438
CWE-ID	CWE-264
Exploitation vector	Local
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available.
Vulnerable software Subscribe	Cisco Umbrella Enterprise Roaming Client Client/Desktop applications / Other client software
Vendor	Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Privilege escalation

EUVDB-ID: #VU14678

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-0437

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper implementation of file system permissions. A local attacker can place an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.

Mitigation

Update Cisco Umbrella ERC to version 2.1.118.

Vulnerable software versions

Cisco Umbrella Enterprise Roaming Client: 2.1.112

CPE2.3

cpe:2.3:a:cisco_systems:cisco_umbrella_enterprise_roaming_client:2.1.112:*:*:*:*:*:*:*

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-pri...

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Privilege escalation

EUVDB-ID: #VU14679

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-0438

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper implementation of file system permissions. A local attacker can place an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.

Mitigation

Update Cisco Umbrella ERC to version 2.1.127.

Vulnerable software versions

Cisco Umbrella Enterprise Roaming Client: 2.1.112 - 2.1.118

CPE2.3

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.