Approved

Query for "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability"

Cisco Security has recently updated (21 May 2021) the information about this vulnerability.
The query performs the checks if the endpoint is affected by the 'Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability' if Cisco AnyConnect is installed.

--EDR Query to check Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability

SELECT 
  CASE 
      WHEN  (SELECT 1 FROM programs WHERE name LIKE 'Cisco AnyConnect Secure Mobility Client' AND version IN ('4.9.04053','4.9.05042','4.9.06037') AND 
            (SELECT 1 FROM grep WHERE pattern LIKE 'RestrictScriptWebDeploy>false</RestrictScriptWebDeploy' 
              AND path = 'C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml') 
            OR 
            (SELECT 1 FROM programs WHERE name LIKE 'Cisco AnyConnect Secure Mobility Client' AND version < '4.9.04053') AND 
            (SELECT 1 FROM grep WHERE pattern LIKE 'BypassDownloader>false</BypassDownloader' 
              AND path = 'C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml')) = 1
      THEN 'The device is affected by this vulnerability'|| ' --> ' || (SELECT (name || ': ' || 'Version: ' || version) FROM programs WHERE name LIKE 'Cisco AnyConnect Secure Mobility Client')
    ELSE 'The device is NOT affected by this vulnerability OR The program is NOT installed'
  END Status