The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities: Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability Cisco Secure Desktop Arbitrary Code Execution Vulnerability Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac
Vulnerability |
Platform |
Affected Versions |
---|---|---|
Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability |
Microsoft Windows |
|
Linux, Apple MacOS |
|
|
Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability |
Microsoft Windows |
|
Linux, Apple MacOS X |
|
|
Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability |
Microsoft Windows |
|
Linux, Apple MacOS X |
|
|
Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability |
Linux 64-bit |
|
Cisco Secure Desktop Arbitrary Code Execution Vulnerability | Microsoft Windows, Linux, Apple Mac OS X |
|
New versions of the ActiveX control and Java applet that ship with the Cisco AnyConnect Secure Mobility Client make use of code signing to validate the authenticity of components that are downloaded from the headend; however, older versions do not validate downloaded components. An attacker may engineer a web page to supply an affected version of the ActiveX control or Java applet and still accomplish arbitrary program execution because of the lack of authenticity validation.
Mitigating the risk of older versions of the ActiveX control can be accomplished in the following ways:
The CLSIDs (Class Identifiers) for the vulnerable VPN downloader ActiveX controls used by the Cisco AnyConnect Secure Mobility Client are (CSCtw47523 and CSCtw48681):
Cisco AnyConnect VPN Version |
CLSID |
<= 2.5.3046, 3.0.0629 - 3.0.2052 |
55963676-2F5E-4BAF-AC28-CF26AA587566 |
2.5.3051 - 2.5.3055, 3.0.3050 - 3.0.7059 |
CC679CB8-DC4B-458B-B817-D447B3B6AC31 |
The CLSIDs (Class Identifiers) for the vulnerable Cisco Secure Desktop and Hostscan ActiveX controls used by the Cisco AnyConnect Secure Mobility Client are (Cisco Secure Desktop: CSCtz76128 and CSCtz78204 and Hostscan: CSCtx74235):
Cisco Secure Desktop Hostscan Version |
Cisco AnyConnect Hostscan Version |
CLSID |
3.1.1.45 - 3.5.841 |
- | 705EC6D4-B138-4079-A307-EF13E4889A82 |
3.5.1077 - 3.5.2008 | 3.0.0629 - 3.0.1047 |
F8FC1530-0608-11DF-2008-0800200C9A66 |
3.6.181 - 3.6.5005 | 3.0.2052 - 3.0.7059 |
E34F52FE-7769-46ce-8F8B-5E8ABAD2E9FC |
Mitigating the risk of executing old versions of the signed Java applets can be accomplished by blacklisting vulnerable versions using the JAR blacklist feature introduced with Java SE 6 Update 14. For information on the JAR blacklist feature refer to the Java SE 6 Update 14 release notes, available at http://www.oracle.com/technetwork/java/javase/6u14-137039.html. Note that the unsigned Java applet described in Cisco defect CSCty45925 cannot be blacklisted because this mitigation is only relevant for signed applets. See the "Workarounds" section for details about the functionality changes encountered by blacklisting signed Java applets.
The SHA-1 message digests for the Cisco AnyConnect Secure Mobility Client JAR files affected by the VPN downloader vulnerabilities (CSCtw47523 and CSCtw48681) are as follows:
Cisco AnyConnect VPN Software Versions |
Java SHA-1 Message Digest |
2.0.0343 - Windows | L0l3WOuMNWujmXo5+O/GtmGyyYk= |
2.0.0343 - Linux | uWffvhFaWVw3lrER/SJH7Hl4yFg= |
2.1.0148 | YwuPyF/KMcxcQhgxilzNybFM2+8= |
2.2.0133 - 2.2.0140 | ya6YNTzMCFYUO4lwhmz9OWhhIz8= |
2.3.0185 - 2.3.1003 | D/TyRle6Sl+CDuBFmdOPy03ERaw= |
2.3.2016 - 2.5.2019 | x17xGEFzBRXY2pLtXiIbp8J7U9M= |
2.5.3046 - 2.5.3055 | 0CUppG7J6IL8xHqPCnA377Koahw= |
3.0.0629 | nv5+0eBNHpRIsB9D6TmEbWoNCTs= |
3.0.1047 - 3.0.5080 | qMVUh9i3yJcTKpuZYSFZH9dspqE= |
Cisco Secure Desktop Hostscan Version |
Cisco AnyConnect Hostscan Version |
Java SHA-1 Message Digest |
3.1.1.45 | - | 3aJU1qSK6IYmt5MSh4IIIj5G1XE= |
3.2.0.136 | - | l93uYyDZGyynzYTknp31yyuNivU= |
3.2.1.103 | - | eJfWm86yHp2Oz5U8WrMKbpv6GGA= |
3.2.1.126 | - | Q9HXbUcSCjhwkgpk5NNVG/sArVA= |
3.3.0.118 | - | cO2ccW2cckTvpR0HVgQa362PyHI= |
3.3.0.151 | - | cDXEH+bR01R8QVxL+KFKYqFgsR0= |
3.4.373 |
- |
lbhLWSopUIqPQ08UVIA927Y7jZQ= |
3.4.1108 |
- |
vSd+kv1p+3jrVK9FjDCBJcoy5us= |
3.4.2048 |
- |
TFYT30IirbYk89l/uKykM6g2cVQ= |
3.5.841 |
- |
Y82nn7CFTu1XAOCDjemWwyPLssg= |
3.5.1077 |
- |
PVAkXuUCgiDQI19GPrw01Vz4rGQ= |
3.5.2001 |
- |
C4mtepHAyIKiAjjqOm6xYMo8TkM= |
3.5.2003 |
- |
l4meuozuSFLkTZTS6xW3sixdlBI= |
3.5.2008 |
- |
B1NaDg834Bgg+VE9Ca+tDZOd2BI= |
3.6.181 |
- |
odqJCMnKdgvQLOCAMSWEj1EPQTc= |
3.6.185 |
- |
WyqHV02O4PYZkcbidH4HKlp/8hY= |
3.6.1001 |
- |
HSPXCvBNG/PaSXg8thDGqSeZlR8= |
- |
3.0.0629 - 3.0.1047 |
OfQZHjo8GK14bHD4z4dDIp4ZFjE= |
- |
3.0.2052 |
8F4F0TXA4ureZbfEXWIFm76QGg4= |
- | 3.0.3054 - 3.0.4016 | bOoQga+XxC3j0HiP552+fYCdswo= |
- | 3.0.4216 - 3.0.4235 | WX77FlRyFyeUriu+xi/PE1uLALU= |
3.6.2002 |
3.0.5009 |
g3mA5HqcRBlKaUVQsapnKhOSEas= |
3.6.3002 |
- |
trhKo6XiSGxRrS//rCL9e3Ca6D4= |
3.6.4021 |
3.0.5075 - 3.0.5080 |
obWCTaz3uOZwDBDZUsbrrTKoDig= |
3.6.5005 |
3.0.7042 - 3.0.7059 |
iMHjGyv5gEnTi8uj68yzalml8XQ= |
Mitigations that can be deployed on Cisco devices in a network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120620-ac
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Vulnerability |
Platform |
First Fixed Release |
---|---|---|
Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability |
Microsoft Windows |
2.5 MR6 (2.5.6005) |
Linux, Apple Mac OS X |
2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057) |
|
Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability |
Microsoft Windows |
2.5 MR6 (2.5.6005), 3.0 MR8 (3.0.08057) |
Linux, Apple Mac OS X |
2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057) |
|
Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability | Microsoft Windows |
|
Linux, Apple Mac OS X |
|
|
Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability | Microsoft Windows |
Not affected |
Linux 64-bit |
3.0 MR7 (3.0.7059) |
|
Cisco Secure Desktop Arbitrary Code Execution Vulnerability | Microsoft Windows, Linux, Apple Mac OS X |
Cisco Secure Desktop 3.6.6020 |
Software Name |
Major Release |
Recommended Release |
---|---|---|
Cisco AnyConnect Secure Mobility Client |
2.5.x |
2.5 MR6 (2.5.6005) |
Cisco AnyConnect Secure Mobility Client |
3.0.x |
3.0 MR8 (3.0.08057) |
Hostscan | 3.0.x | 3.0 MR8 (3.0.08062) |
Cisco Secure Desktop | 3.x | 3.6.6020 |
The vulnerabilities documented in defects CSCtw47523 and CSCtw48681 were discovered by gwslabs.com and reported to Cisco by HP's Zero Day Initiative.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 2.1 | 2012-October-18 | Included details on Oracle Java SE 6u37 and Java SE 7u9, which will disable vulnerable WebLaunch controls without requiring the deployment of fixed Cisco software. |
Revision 2.0 | 2012-September-19 | Corrected an inadvertent omission in the original advisory, which failed to list that the fixes also address a vulnerability in Cisco Secure Desktop, described by CVE-2012-4655. |
Revision 1.3 | 2012-September-09 | Detailed future updates from Microsoft and Oracle which will disable vulnerable WebLaunch controls without requiring the deployment of fixed Cisco software. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.