
CVE-2021-1280 : Cisco Advanced Malware Protection (AMP) - DLL Hijack
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
A vulnerability in the loading mechanism of specific DLLs of Cisco Advanced Malware Protection (AMP) for Endpoints for Windows and Immunet for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need valid credentials on the Windows system. This vulnerability is due to incorrect handling of directory search paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with SYSTEM privileges.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 7.8 High as per Vendor. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1.3 Affected Version
All Cisco AMP for Endpoints for Windows releases earlier than Release 7.3.3
All Immunet for Windows releases earlier than Release 7.3.12
1.4 Vulnerability Attribution
This vulnerability is reported by Cisco Systems, Inc.
1.5 Risk Impact
No public exploits are available as of today.
As per this site, Cisco AMP is mostly used by top 1000 Enterprises which has higher revenue.
Exploiting this vulnerability can lead to planting of Backdoor into the AMP security system and could compromise the whole infrastructure of the company.
1.6 Virsec Security Platform (VSP) Support:
VSP-Host has the capability to detect DLL-hijack attacks. Any DLL that is not part of allowed list would not be allowed to be loaded into legitimate processes.
1.7 Reference Links:
- NVD - CVE-2021-1280 (nist.gov)
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp-imm-dll-5PAZ3hRV
Download the full vulnerability report to learn more about this and other important vulnerabilities.
Do you have a request for a vulnerability Virsec Security Research Lab to explore? Let us know!