CVE-2021-1386
📋 TL;DR
This vulnerability allows authenticated local attackers to perform DLL hijacking attacks on affected Cisco security products for Windows. Attackers can execute arbitrary code with SYSTEM privileges by placing malicious DLL files in specific directories. Affected products include Cisco AMP for Endpoints Windows Connector, ClamAV for Windows, and Immunet.
💻 Affected Systems
- Cisco Advanced Malware Protection (AMP) for Endpoints Windows Connector
- ClamAV for Windows
- Immunet
📦 What is this software?
Advanced Malware Protection For Endpoints by Cisco
View all CVEs affecting Advanced Malware Protection For Endpoints →
Clamav by Cisco
Immunet by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing complete control over the affected Windows system, data theft, lateral movement, and persistence establishment.
Likely Case
Privilege escalation from authenticated user to SYSTEM, enabling installation of malware, backdoors, or credential harvesting tools on the compromised system.
If Mitigated
Limited impact due to proper access controls, application whitelisting, and restricted user permissions preventing DLL placement in vulnerable directories.
🎯 Exploit Status
Requires authenticated local access and ability to place DLL files in specific directories. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for specific fixed versions for each product
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp-imm-dll-tu79hvkO
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected versions. 2. Update to patched versions of AMP for Endpoints Windows Connector, ClamAV for Windows, or Immunet. 3. Restart affected systems after update.
🔧 Temporary Workarounds
Restrict DLL loading directories
windowsApply directory permissions to prevent unauthorized users from writing DLL files to vulnerable search paths
icacls "C:\Program Files\Cisco\AMP\" /deny Users:(OI)(CI)W
icacls "C:\Program Files\Immunet\" /deny Users:(OI)(CI)W
Enable application control policies
windowsUse Windows AppLocker or similar to restrict which DLLs can be loaded by these applications
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from writing files to application directories
- Monitor for suspicious DLL creation/modification in Cisco security product directories using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check installed versions of Cisco AMP for Endpoints, ClamAV for Windows, or Immunet against vulnerable versions listed in Cisco advisoryCheck Version:
For AMP: Check AMP console or connector logs. For ClamAV: clamscan --version. For Immunet: Check About in Immunet interface.Verify Fix Applied:
Verify installed version matches or exceeds patched versions specified in Cisco advisory📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads from non-standard directories
- Failed DLL load attempts from Cisco security applications
- File creation events in Cisco application directories by non-admin users
Network Indicators:
- Unusual outbound connections from Cisco security applications
- Beaconing behavior from systems running affected software
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%Cisco%AMP%' OR ObjectName LIKE '%Immunet%' AND Accesses CONTAINS 'WRITE_DAC' OR Accesses CONTAINS 'WRITE_OWNER'