To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet.
The affected ActiveX and Java components do not perform sufficient input validation and, as a result, may allow an attacker to deliver arbitrary code to an affected system and execute the code with the privileges of the user's web browser session. The attacker may supply vulnerable ActiveX or Java components for execution by an end-user. An unauthenticated, remote attacker could execute arbitrary code on systems that have received the ActiveX or Java components that perform the WebLaunch functionality for Cisco An圜onnect Secure Mobility Client.
The Cisco An圜onnect Secure Mobility Client is affected by the following vulnerabilities:Ĭisco An圜onnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability:Ĭisco An圜onnect Secure Mobility Client contains an arbitrary code execution vulnerability. Please refer to the "Workarounds" section for details concerning the functionality changes encountered by blacklisting signed Java applets.
Microsoft released a Windows security advisory ( 2736233) that will set the system-wide kill-bit for vulnerable ActiveX controls, and Oracle released updates to Java SE 6 ( Update 37) and Java SE 7 ( Update 9) that blacklist the vulnerable signed Java applets.
Cisco has requested Microsoft and Oracle to blacklist ActiveX controls and Java applets through their software update channels. Systems that may lack fixed Cisco software could be impacted by this vulnerability. In addition, because the WebLaunch components are signed by Cisco and because of these vulnerabilities can allow for the arbitrary installation of malicious software, any end-user system that instantiates the vulnerable WebLaunch downloader components may be impacted, including systems that have never installed Cisco An圜onnect Secure Mobility Client. All affected versions of Cisco An圜onnect Secure Mobility Client, regardless of how they were deployed onto end-user systems, are susceptible to exploitation. The vulnerabilities described in this advisory all are exploited via the software update mechanisms used to perform WebLaunch-initiated web deployment. In normal operation, this website would be a clientless portal during a malicious attack, any website that hosted a copy of the vulnerable component could masquerade as a trustworthy site and attempt to convince the user to instantiate the vulnerable component.
During a WebLaunch initiation, any end-user system that visits a website which attempts to instantiate a downloader component will be prompted to install or upgrade Cisco An圜onnect Secure Mobility Client. During standalone initiation, an end-user system will contact the headend via the An圜onnect client to receive deployed packages. Further, the web-deploy scenario can be initiated in two ways: standalone initiation and WebLaunch initiation. In a web-deploy scenario, the Cisco An圜onnect Secure Mobility Client is installed or upgraded via packages installed on the headend. In a pre-deploy scenario, the Cisco An圜onnect Secure Mobility Client is installed or upgraded as traditional desktop software by an end-user or possibly via an enterprise deployment tool.
The Cisco An圜onnect Secure Mobility Client is the Cisco next-generation VPN client, which provides remote users with secure IPsec (IKEv2) or SSL Virtual Private Network (VPN) connections to Cisco 5500 Series Adaptive Security Appliances (ASA) and devices that are running Cisco IOS Software.Ĭisco An圜onnect Secure Mobility Client can be deployed in two ways: pre-deploy and web-deploy. No fixed versions of the Cisco An圜onnect Secure Mobility Client for Windows Mobile are planned. Note: Microsoft Windows Mobile versions of Cisco An圜onnect Secure Mobility Client are affected by the Arbitrary Code Execution Vulnerability. Cisco Secure Desktop releases prior to Ĭisco An圜onnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution VulnerabilityĬisco Secure Desktop Arbitrary Code Execution Vulnerability.Hostscan 3.0.x releases prior to 3.0MR8 (2).An圜onnect 3.0.x releases prior to 3.0 MR8 (7).The affected versions are included in the following table:Ĭisco An圜onnect Secure Mobility Client VPN Downloader Arbitrary Code Execution VulnerabilityĬisco An圜onnect Secure Mobility Client VPN Downloader Software Downgrade VulnerabilityĬisco An圜onnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability
The vulnerabilities described in this document apply to the Cisco An圜onnect Secure Mobility Client.