Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Advisory

Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client

Advisory ID: cisco-sa-20120620-ac

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

Revision 2.1

Last Updated  2012 October 18 15:31  UTC (GMT)

For Public Release 2012 June 20 16:00  UTC (GMT)


Summary

The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities:

  • Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability
  • Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability
  • Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability
  • Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability
  • Cisco Secure Desktop Arbitrary Code Execution Vulnerability
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

Affected Products


Vulnerable Products

The vulnerabilities described in this document apply to the Cisco AnyConnect Secure Mobility Client. The affected versions are included in the following table:

Vulnerability

Platform

Affected Versions

Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability

Microsoft Windows

  • 2.x releases prior to 2.5 MR6 (2.5.6005)

Linux, Apple MacOS

  • 2.x releases prior to 2.5 MR6 (2.5.6005)
  • 3.0.x releases prior to 3.0 MR8 (3.0.08057)

Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability

Microsoft Windows

 

  • 2.x releases prior to 2.5 MR6 (2.5.6005)
  • 3.0.x releases prior to 3.0 MR8 (3.0.08057)

Linux, Apple MacOS X

  • 2.x releases prior to 2.5 MR6 (2.5.6005)
  • 3.0.x releases prior to 3.0 MR8 (3.0.08057)
Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability
Microsoft Windows
  • AnyConnect 3.0.x releases prior to 3.0 MR8 (3.0.08057)
  • Hostscan 3.0.x releases prior to 3.0MR8 (3.0.08062)
  • Cisco Secure Desktop releases prior to 3.6.6020
Linux, Apple MacOS X
  • AnyConnect 3.0.x releases prior to 3.0 MR8 (3.0.08057)
  • Hostscan 3.0.x releases prior to 3.0MR8 (3.0.08062)
  • Cisco Secure Desktop releases prior to 3.6.6020
Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability
Linux 64-bit
 
  • 3.0.x releases prior to 3.0 MR7 (3.0.7059)
Cisco Secure Desktop Arbitrary Code Execution Vulnerability Microsoft Windows, Linux, Apple Mac OS X
  • Cisco Secure Desktop releases prior to 3.6.6020

Note: Microsoft Windows Mobile versions of Cisco AnyConnect Secure Mobility Client are affected by the Arbitrary Code Execution Vulnerability. No fixed versions of the Cisco AnyConnect Secure Mobility Client for Windows Mobile are planned.

Products Confirmed Not Vulnerable

These vulnerabilities do not affect Cisco AnyConnect client software that runs on Apple iOS, Cisco Cius, or Google Android. Those versions do not support the self-updating download mechanisms that contain these vulnerabilities.

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The Cisco AnyConnect Secure Mobility Client is the Cisco next-generation VPN client, which provides remote users with secure IPsec (IKEv2) or SSL Virtual Private Network (VPN) connections to Cisco 5500 Series Adaptive Security Appliances (ASA) and devices that are running Cisco IOS Software.

Cisco AnyConnect Secure Mobility Client can be deployed in two ways: pre-deploy and web-deploy. In a pre-deploy scenario, the Cisco AnyConnect Secure Mobility Client is installed or upgraded as traditional desktop software by an end-user or possibly via an enterprise deployment tool. In a web-deploy scenario, the Cisco AnyConnect Secure Mobility Client is installed or upgraded via packages installed on the headend. Further, the web-deploy scenario can be initiated in two ways: standalone initiation and WebLaunch initiation. During standalone initiation, an end-user system will contact the headend via the AnyConnect client to receive deployed packages. During a WebLaunch initiation, any end-user system that visits a website which attempts to instantiate a downloader component will be prompted to install or upgrade Cisco AnyConnect Secure Mobility Client. In normal operation, this website would be a clientless portal; during a malicious attack, any website that hosted a copy of the vulnerable component could masquerade as a trustworthy site and attempt to convince the user to instantiate the vulnerable component.

The vulnerabilities described in this advisory all are exploited via the software update mechanisms used to perform WebLaunch-initiated web deployment. All affected versions of Cisco AnyConnect Secure Mobility Client, regardless of how they were deployed onto end-user systems, are susceptible to exploitation. In addition, because the WebLaunch components are signed by Cisco and because of these vulnerabilities can allow for the arbitrary installation of malicious software, any end-user system that instantiates the vulnerable WebLaunch downloader components may be impacted, including systems that have never installed Cisco AnyConnect Secure Mobility Client.

Systems that may lack fixed Cisco software could be impacted by this vulnerability. Cisco has requested Microsoft and Oracle to blacklist ActiveX controls and Java applets through their software update channels. Microsoft released a Windows security advisory (2736233) that will set the system-wide kill-bit for vulnerable ActiveX controls, and Oracle released updates to Java SE 6 (Update 37) and Java SE 7 (Update 9) that blacklist the vulnerable signed Java applets. Please refer to the "Workarounds" section for details concerning the functionality changes encountered by blacklisting signed Java applets.

The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities:

Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability:

Cisco AnyConnect Secure Mobility Client contains an arbitrary code execution vulnerability. An unauthenticated, remote attacker could execute arbitrary code on systems that have received the ActiveX or Java components that perform the WebLaunch functionality for Cisco AnyConnect Secure Mobility Client. The attacker may supply vulnerable ActiveX or Java components for execution by an end-user. The affected ActiveX and Java components do not perform sufficient input validation and, as a result, may allow an attacker to deliver arbitrary code to an affected system and execute the code with the privileges of the user's web browser session. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet. Depending on the user's browser configuration, the process of executing the control or applet may require little or no user interaction because the vulnerable ActiveX controls and Java applets are cryptographically signed by Cisco.

Fixed versions of Cisco AnyConnect Secure Mobility Client correct this vulnerability by ensuring that the downloader process does not support the execution of arbitrary binaries that are specified during WebLaunch initiation.

This vulnerability is documented in Cisco Bug ID CSCtw47523 (registered customers only) and has been assigned Common Vulnerability and Exposure (CVE) ID CVE-2012-2493.

Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability:

Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an attacker to downgrade the Cisco AnyConnect Secure Mobility Client software version to a prior software version. An unauthenticated, remote attacker could cause systems that have installed affected versions of the Cisco AnyConnect Secure Mobility client to download and install an older version of the client software. The affected ActiveX and Java components used for WebLaunch do not perform sufficient input validation and, as a result, may allow an attacker to deliver prior versions of code signed by Cisco. Older versions of Cisco AnyConnect Secure Mobility Client software could contain vulnerabilities that were not present in the system's initial software version, and expose the system to additional vulnerabilities. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet. Depending on the user's browser configuration, the process of executing the control or applet may require little or no user interaction because the vulnerable ActiveX controls and Java applets are cryptographically signed by Cisco.

Fixed versions of Cisco AnyConnect Secure Mobility Client correct this vulnerability by ensuring that the timestamp of signed code that is downloaded during WebLaunch initiation is not older than the timestamp of the installed software.

This vulnerability is documented in Cisco Bug ID CSCtw48681 (registered customers only) and has been assigned Common Vulnerability and Exposure (CVE) ID CVE-2012-2494.

Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability:

Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an attacker to downgrade the affected software to a prior software version. This vulnerability is also present in Cisco Secure Desktop. An unauthenticated, remote attacker could cause systems that have installed affected versions of the Cisco AnyConnect Secure Mobility client or Cisco Secure Desktop to download and install an older version of the client software. The affected ActiveX and Java components of these affected software programs do not perform sufficient input validation and, as a result, may allow an attacker to deliver prior versions of code signed by Cisco. Older versions of Cisco AnyConnect Secure Mobility Client software or Cisco Secure Desktop software could contain vulnerabilities that were not present in the system's initial software version, thus exposing the system to additional vulnerabilities. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet. Depending on the user's browser configuration, the process of executing the control or applet may require little or no user interaction because the vulnerable ActiveX controls and Java applets are cryptographically signed by Cisco.

Fixed versions of Cisco AnyConnect Secure Mobility Client correct this vulnerability by ensuring that the timestamp of signed code that is downloaded during WebLaunch initiation is not older than the timestamp of the installed software.

This vulnerability is documented in Cisco Bug ID CSCtx74235 (registered customers only) and has been assigned Common Vulnerability and Exposure (CVE) ID CVE-2012-2495.

Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability:

Cisco AnyConnect Secure Mobility Client contains an arbitrary code execution vulnerability. An unauthenticated, remote attacker could execute arbitrary code on systems that have received the 64-bit Java applet that performs the WebLaunch VPN downloader functionality for Cisco AnyConnect Secure Mobility Client. The attacker may supply vulnerable Java components for execution by an end-user. The affected Java component does not perform sufficient input validation and as a result could allow an attacker to deliver arbitrary code to an affected system and execute the code with the privileges of the user's web browser session. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable Java applet. The affected Java applets are not cryptographically signed by Cisco.

The Java applet affected by this vulnerability is not signed by Cisco and was previously distributed as unsupported code. This code has been removed from Release 3.0 MR7 (3.0.7059).

This vulnerability is documented in Cisco Bug ID CSCty45925 (registered customers only) and has been assigned Common Vulnerability and Exposure (CVE) ID CVE-2012-2496.

Cisco Secure Desktop Arbitrary Code Execution Vulnerability

Cisco Secure Desktop contains an arbitrary code execution vulnerability. An unauthenticated, remote attacker could execute arbitrary code on systems that have received the ActiveX or Java components that perform the WebLaunch functionality for Cisco Secure Desktop. The attacker may supply vulnerable ActiveX or Java components for execution by an end-user. The affected ActiveX and Java components do not perform sufficient input validation and, as a result, may allow an attacker to deliver arbitrary code to an affected system and execute the code with the privileges of the user's web browser session. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet. Depending on the user's browser configuration, the process of executing the control or applet may require little or no user interaction because the vulnerable ActiveX controls and Java applets are cryptographically signed by Cisco.

Fixed versions of Cisco Secure Desktop correct this vulnerability by ensuring that the downloader process does not support the execution of arbitrary binaries that are specified during WebLaunch initiation.

This vulnerability is documented in Cisco Bug IDs CSCtz76128 (registered customers only) and CSCtz78204 (registered customers only) and has been assigned Common Vulnerability and Exposure (CVE) ID CVE-2012-4655.

Additional Considerations for Cisco AnyConnect VPN, Cisco Secure Desktop and Cisco Hostscan Downloader Vulnerabilities:

New versions of the ActiveX control and Java applet that ship with the Cisco AnyConnect Secure Mobility Client make use of code signing to validate the authenticity of components that are downloaded from the headend; however, older versions do not validate downloaded components. An attacker may engineer a web page to supply an affected version of the ActiveX control or Java applet and still accomplish arbitrary program execution because of the lack of authenticity validation.

Mitigating the risk of older versions of the ActiveX control can be accomplished in the following ways:

  • Load a fixed version of Cisco AnyConnect Secure Mobility Client on the headend and initiate an upgrade by means of a web browser or standalone client. This action will cause the new version of the Cisco AnyConnect Secure Mobility Client, including a new version of the ActiveX control to install. When this installation occurs, Cisco AnyConnect Secure Mobility Client will no longer permit older versions of the ActiveX control to execute on the system.
  • Pre-deploy a fixed version of Cisco AnyConnect Secure Mobility Client through enterprise software upgrade infrastructure. This action accomplishes the same result as the previous recommendation and deploys new, fixed versions of the ActiveX control. When this installation occurs, Cisco AnyConnect Secure Mobility Client will no longer permit older versions of the ActiveX control to execute on the system.
  • If deploying the client from the headend is not needed, then the kill-bit for the Cisco AnyConnect Secure Mobility Client ActiveX control can be set locally. This action prevents the ActiveX control from being instantiated under any scenario. Instructions for setting the kill-bit are beyond the scope of this document. Refer to the Microsoft Support article "How to stop an ActiveX control from running in Internet Explorer" at http://support.microsoft.com/kb/240797 and the Microsoft Security Vulnerability Research & Defense's "Kill-Bit FAQ" blog posts referenced in the Microsoft Support article for more information. See the "Workarounds" section of this document for details about the functionality changes encountered by setting kill-bits.

The CLSIDs (Class Identifiers) for the vulnerable VPN downloader ActiveX controls used by the Cisco AnyConnect Secure Mobility Client are (CSCtw47523 and CSCtw48681):

 Cisco AnyConnect VPN Version
CLSID

<= 2.5.3046,
3.0.0629 - 3.0.2052

 55963676-2F5E-4BAF-AC28-CF26AA587566

2.5.3051 - 2.5.3055,
3.0.3050 - 3.0.7059

 CC679CB8-DC4B-458B-B817-D447B3B6AC31

The CLSIDs (Class Identifiers) for the vulnerable Cisco Secure Desktop and Hostscan ActiveX controls used by the Cisco AnyConnect Secure Mobility Client are (Cisco Secure Desktop: CSCtz76128 and CSCtz78204 and Hostscan: CSCtx74235):

Cisco Secure Desktop Hostscan Version
Cisco AnyConnect Hostscan Version
CLSID
3.1.1.45 - 3.5.841
 -  705EC6D4-B138-4079-A307-EF13E4889A82
3.5.1077 - 3.5.2008  3.0.0629 - 3.0.1047
 F8FC1530-0608-11DF-2008-0800200C9A66
3.6.181 - 3.6.5005  3.0.2052 - 3.0.7059
 E34F52FE-7769-46ce-8F8B-5E8ABAD2E9FC

Mitigating the risk of executing old versions of the signed Java applets can be accomplished by blacklisting vulnerable versions using the JAR blacklist feature introduced with Java SE 6 Update 14. For information on the JAR blacklist feature refer to the Java SE 6 Update 14 release notes, available at http://www.oracle.com/technetwork/java/javase/6u14-137039.html. Note that the unsigned Java applet described in Cisco defect CSCty45925 cannot be blacklisted because this mitigation is only relevant for signed applets. See the "Workarounds" section for details about the functionality changes encountered by blacklisting signed Java applets.

The SHA-1 message digests for the Cisco AnyConnect Secure Mobility Client JAR files affected by the VPN downloader vulnerabilities (CSCtw47523 and CSCtw48681) are as follows:

Cisco AnyConnect VPN Software Versions
Java SHA-1 Message Digest
 2.0.0343 - Windows  L0l3WOuMNWujmXo5+O/GtmGyyYk=
 2.0.0343 - Linux  uWffvhFaWVw3lrER/SJH7Hl4yFg=
 2.1.0148  YwuPyF/KMcxcQhgxilzNybFM2+8=
 2.2.0133 - 2.2.0140  ya6YNTzMCFYUO4lwhmz9OWhhIz8=
 2.3.0185 - 2.3.1003  D/TyRle6Sl+CDuBFmdOPy03ERaw=
 2.3.2016 - 2.5.2019  x17xGEFzBRXY2pLtXiIbp8J7U9M=
 2.5.3046 - 2.5.3055  0CUppG7J6IL8xHqPCnA377Koahw=
 3.0.0629  nv5+0eBNHpRIsB9D6TmEbWoNCTs=
 3.0.1047 - 3.0.5080  qMVUh9i3yJcTKpuZYSFZH9dspqE=

 


The SHA-1 message digests for the Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop JAR files affected by the Cisco Secure Desktop and Hostscan vulnerabilities (Cisco Secure Desktop: CSCtz76128 and CSCtz78204 and Hostscan: CSCtx74235) are as follows:

Cisco Secure Desktop Hostscan Version
Cisco AnyConnect Hostscan Version
Java SHA-1 Message Digest 
 3.1.1.45  -  3aJU1qSK6IYmt5MSh2IIIj5G1XE=
 3.2.0.136  -  l93uYyDZGyynzYTknp31yyuNivU=
 3.2.1.103  -  eJfWm86yHp2Oz5U8WrMKbpv6GGA=
 3.2.1.126  -  Q9HXbUcSCjhwkgpk5NNVG/sArVA=
 3.3.0.118  -  cO2ccW2cckTvpR0HVgQa362PyHI=
 3.3.0.151  -  cDXEH+bR01R8QVxL+KFKYqFgsR0=
 3.4.373
 -
 lbhLWSopUIqPQ08UVIA927Y7jZQ=
 3.4.1108
 -
 vSd+kv1p+3jrVK9FjDCBJcoy5us=
 3.4.2048
 -
 TFYT30IirbYk89l/uKykM6g2cVQ=
 3.5.841
 -
 Y82nn7CFTu1XAOCDjemWwyPLssg=
 3.5.1077
 -
 PVAkXuUCgiDQI19GPrw01Vz4rGQ=
 3.5.2001
 -
 C4mtepHAyIKiAjjqOm6xYMo8TkM=
 3.5.2003
 -
 l4meuozuSFLkTZTS6xW3sixdlBI=
 3.5.2008
 -
 B1NaDg834Bgg+VE9Ca+tDZOd2BI=
 3.6.181
 -
 odqJCMnKdgvQLOCAMSWEj1EPQTc=
 3.6.185
 -
 WyqHV02O4PYZkcbidH4HKlp/8hY=
 3.6.1001
 -
 HSPXCvBNG/PaSXg8thDGqSeZlR8=
 -
 3.0.0629 - 3.0.1047
 OfQZHjo8GK14bHD4z4dDIp4ZFjE=
 -
 3.0.2052
 8F4F0TXA4ureZbfEXWIFm76QGg4=
 -  3.0.3054 - 3.0.4016  bOoQga+XxC3j0HiP552+fYCdswo=
 -  3.0.4216 - 3.0.4235  WX77FlRyFyeUriu+xi/PE1uLALU=
 3.6.2002
 3.0.5009
 g3mA5HqcRBlKaUVQsapnKhOSEas=
 3.6.3002
 -
 trhKo6XiSGxRrS//rCL9e3Ca6D4=
 3.6.4021
 3.0.5075 - 3.0.5080
 obWCTaz3uOZwDBDZUsbrrTKoDig=
 3.6.5005
 3.0.7042 - 3.0.7059
 iMHjGyv5gEnTi8uj68yzalml8XQ=

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:

 http://intellishield.cisco.com/security/alertmanager/cvss



CSCtw47523 - Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability

Calculate the environmental score of CSCtw47523

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.7

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


CSCtw48681 - Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability

Calculate the environmental score of CSCtw48681

CVSS Base Score - 4.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

None

Partial

None

CVSS Temporal Score - 3.6

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


CSCtx74235 - Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability

Calculate the environmental score of CSCtx74235

CVSS Base Score - 4.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

None

Partial

None

CVSS Temporal Score - 3.6

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


CSCty45925 - Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability

Calculate the environmental score of CSCty45925

CVSS Base Score - 6.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Partial

Partial

Partial

CVSS Temporal Score - 5.6

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


CSCtz76128 and CSCtz78204 - Cisco Secure Desktop Arbitrary Code Execution Vulnerability

Calculate the environmental score of CSCtz76128 and CSCtz78204

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.7

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


Impact

For any of the vulnerabilities in cryptographically signed applets, any system that trusts Cisco's signing certificate chain may be impacted, even if Cisco AnyConnect Secure Mobility Client has never been installed on the system.

Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability

Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user's web browser session. If the user possesses elevated privileges, arbitrary code execution could result in complete compromise of an affected system.

Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability

Successful exploitation of the vulnerability could allow an attacker to modify the Cisco AnyConnect Secure Mobility Client installation and replace it with an arbitrary, older version of software that is signed by Cisco. This action could expose the system to subsequent attacks against vulnerabilities found in older versions of Cisco AnyConnect Secure Mobility Client software.

Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability

Successful exploitation of the vulnerability could allow an attacker to modify the Cisco AnyConnect Secure Mobility Client installation and replace it with an arbitrary, older version of software signed by Cisco. This action could expose the system to subsequent attacks against vulnerabilities found in older versions of Cisco AnyConnect Secure Mobility Client software.

Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability

Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user's web browser session. If the user possesses elevated privileges, this action could result in complete compromise of an affected system.

Cisco Secure Desktop Arbitrary Code Execution Vulnerability

Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user's web browser session. If the user possesses elevated privileges, this action could result in complete compromise of an affected system.

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Vulnerability

Platform

First Fixed Release

Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability

Microsoft Windows

2.5 MR6 (2.5.6005)

Linux, Apple Mac OS X

2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057)

Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability

Microsoft Windows

2.5 MR6 (2.5.6005), 3.0 MR8 (3.0.08057)

Linux, Apple Mac OS X

2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057)

 Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability  Microsoft Windows
  •  AnyConnect 3.0 MR8 (3.0.08057)
  • Hostscan 3.0 MR8 (3.0.08062)
  • Cisco Secure Desktop 3.6.6020
 Linux, Apple Mac OS X
  •  AnyConnect 3.0 MR8 (3.0.08057)
  • Hostscan 3.0 MR8 (3.0.08062)
  • Cisco Secure Desktop 3.6.6020
 Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability  Microsoft Windows
 Not affected
 Linux 64-bit
 3.0 MR7 (3.0.7059)
Cisco Secure Desktop Arbitrary Code Execution Vulnerability Microsoft Windows, Linux, Apple Mac OS X
Cisco Secure Desktop 3.6.6020
* NOTE: Cisco AnyConnect Secure Mobility Client 2.5 MR6 for Mac OS X, which contains fixes for the VPN downloader vulnerabilities in this advisory, will no longer support OS X 10.4.

Recommended Releases

The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases.


Software Name

Major Release

Recommended Release

Cisco AnyConnect Secure Mobility Client

2.5.x

2.5 MR6 (2.5.6005)

Cisco AnyConnect Secure Mobility Client

3.0.x

3.0 MR8 (3.0.08057)

Hostscan 3.0.x 3.0 MR8 (3.0.08062)
Cisco Secure Desktop 3.x 3.6.6020

Workarounds

Blacklists can be enforced manually, based on the instructions provided in the “Details” section, or by applying updates from Microsoft (2736233) or Oracle (Java SE 6 Update 37 and Java SE 7 Update 9) that include ActiveX CLSIDs or Java applet Message Digests. Anyone opting to enforce blacklists of the vulnerable ActiveX control CLSIDs and Java applet Message Digests can prevent the vulnerable code from instantiating. As a result, WebLaunch initiation of vulnerable software installation and upgrades will be prevented; however, pre-deployed software initiated through standalone methods and WebLaunch initiation of fixed software will continue to function.

Note: For any of the vulnerabilities in cryptographically signed controls or applets, any system that trusts Cisco's signing certificate chain may be impacted, even if Cisco AnyConnect Secure Mobility Client has never been installed on the system. Using the ActiveX Control kill-bit and Java Message Digest workarounds will protect systems on which Cisco AnyConnect Secure Mobility Client is not or will not be installed.

Mitigations that can be deployed on Cisco devices in a network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120620-ac

Obtaining Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers Using Third-Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

The vulnerabilities documented in defects CSCtw47523 and CSCtw48681 were discovered by gwslabs.com and reported to Cisco by HP's Zero Day Initiative.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security Intelligence Operations at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:

  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.


Revision History

Revision 2.1 2012-October-18 Included details on Oracle Java SE 6u37 and Java SE 7u9, which will disable vulnerable WebLaunch controls without requiring the deployment of fixed Cisco software.
Revision 2.0 2012-September-19 Corrected an inadvertent omission in the original advisory, which failed to list that the fixes also address a vulnerability in Cisco Secure Desktop, described by CVE-2012-4655.
Revision 1.3 2012-September-09 Detailed future updates from Microsoft and Oracle which will disable vulnerable WebLaunch controls without requiring the deployment of fixed Cisco software.
Revision 1.2 2012-July-18 Added an additional Java hash to the Blacklist table for Linux version 2.0.0343.
Revision 1.1 2012-July-06 Clarified versions by including build numbers next to Maintenance Release (MR) numbers.
Revision 1.0 2012-June-20 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.
Download this document (PDF)
View Printable Version