Executive Summary
Summary | |
---|---|
Title | Cisco AnyConnect SSL VPN arbitrary code execution |
Informations | |||
---|---|---|---|
Name | VU#490097 | First vendor Publication | 2011-06-07 |
Vendor | VU-CERT | Last vendor Modification | 2011-09-12 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#490097Cisco AnyConnect SSL VPN arbitrary code executionOverviewThe Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.I. DescriptionCisco AnyConnect is an SSL VPN solution that is commonly initiated through use of a web browser. When Internet Explorer is used, the AnyConnect VPN server provides an ActiveX control that downloads and installs the AnyConnect client software. When any other browser is used, the AnyConnect VPN server provides a signed Java applet to perform that same functionality. Both the ActiveX and Java versions of the AnyConnect VPN web control fail to validate the origin of the downloaded vpndownloader.exe file before executing it.II. ImpactBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.III. SolutionApply an updateThis issue has been addressed in version 2.3.185 of the AnyConnect ActiveX control. Cisco recommends use of version 2.5.3041 or later 2.5.x versions or 3.0.1047 or later 3.0.x versions. Please see the Cisco Security Advisory for more details. Note that although Cisco has addressed the vulnerability in the Java applet version of the AnyConnect web control, this does not provide any protection to client systems due to security limitations in the Java platform. Also note that Cisco has confirmed that the Windows Mobile version of AnyConnect is vulnerable, but no fixed versions are planned. We recommend the following workarounds:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{55963676-2F5E-4BAF-AC28-CF26AA587566}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{55963676-2F5E-4BAF-AC28-CF26AA587566}] "Compatibility Flags"=dword:00000400 In the Java Control Panel item, click the "View" button in the "Temporary Internet Files" section. This will show resources that Java has downloaded. Remove any reference to VPNJava.jar or vpndownloader.exe. This will help prevent an attacker from utilizing an already-downloaded vulnerable version of the Java version of the AnyConnect web control. Disable the vulnerable Cisco AnyConnect VPN Java applets Java has the ability to disable specific versions of signed applets starting with JRE version 6u14. To block vulnerable versions of the Cisco AnyConnect Java applet, add the following entries to the Java blacklist file:
# 2.5.0217, 2.5.1025, 2.5.2001, 2.5.2006, 2.5.2010, # 2.5.2011, 2.5.2014, 2.5.2017, 2.5.2018, 2.5.2019 SHA1-Digest-Manifest : xmarT5s8kwnKRLxnCOoLUnxnveE= # 2.2.0133, 2.2.0136, 2.2.0140 SHA1-Digest-Manifest : 2wXAWNws4uNdCioU1eoCOS4+J3o= # 2.0.0343, 2.1.0148 SHA1-Digest-Manifest : OlNnvozFCxbJZbRfGiLckOE8uFQ= Remove Cisco Systems, Inc. from the list of trusted Java certificates In the Java Control Panel item, click the "Security" tab and then the "Certificates" button. Delete any certificates from "Cisco Systems, Inc." in the Trusted Certificates list. When prompting to run a signed Java applet, the Java runtime will pre-select an option called "Always trust content from this publisher." If this option remains enabled, then any Java applet that has been signed by the same publisher will execute without any user interaction. In this case, if a user has at any point allowed any signed Java applet from Cisco Systems Inc. to execute, and the user has not deselected the "Always trust content from this publisher" checkbox, then an attacker can use a vulnerable Java version of the AnyConnect web control and exploit it to achieve code execution. Removing the certificate from the Trusted Certificates list will cause Java to prompt the user before it executes. If any signed Java applet is executed, the user should deselect "Always trust content from this publisher." For more details, please see: CERT/CC Blog: Signed Java Applet Security: Worse than ActiveX? Use the stand-alone Cisco AnyConnect VPN client Vulnerabilities in the ActiveX and Java versions of Cisco AnyConnect can be avoided by using the stand-alone Cisco AnyConnect VPN Client. The stand-alone client is provided by Cisco AnyConnect if the ActiveX and Java techniques fail or if the above mitigations are in place. Rather than initiating the VPN connection through a web browser, using the stand-alone Cisco AnyConnect VPN Client will help minimize the attack surface of the Cisco AnyConnect VPN product. Vendor Information
Referenceshttp://www.cert.org/blogs/certcc/2008/06/signed_java_security_worse_tha.html This vulnerability was reported by Elazar Broad through iDefense. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/490097 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Cisco AnyConnect Secure Mobility Client VPNWeb ActiveX Code Execution | More info here |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
72715 | Cisco AnyConnect Secure Mobility Client JRE Applet Headend Server Spoofing Re... |
72714 | Cisco AnyConnect Secure Mobility Client ActiveX IObjectSafety Headend Server ... |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Cisco AnyConnect mobility client activex clsid access attempt RuleID : 27173 - Revision : 5 - Type : BROWSER-PLUGINS |
2014-01-10 | Cisco AnyConnect ActiveX clsid access RuleID : 19909 - Revision : 10 - Type : BROWSER-PLUGINS |
2014-01-10 | Cisco AnyConnect ActiveX function call access RuleID : 19651 - Revision : 7 - Type : BROWSER-PLUGINS |
2014-01-10 | Cisco AnyConnect ActiveX clsid access RuleID : 19650 - Revision : 10 - Type : BROWSER-PLUGINS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-12-16 | Name : The remote host has software installed that is affected by multiple vulnerabi... File : macosx_cisco_anyconnect_3_0_629.nasl - Type : ACT_GATHER_INFO |
2011-06-03 | Name : The VPN client installed on the remote Windows host has multiple vulnerabilit... File : cisco_anyconnect_vpn_2_3_254.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:53 |
|