Earlier this summer Cisco release the following security advisory for Anyconnect and CSD. The advisory warns of an exploit within the ActiveX and Java applet that are used to web-deploy Anyconnect and CSD. The exploit allows for abitrary code execution that will run at the priviledge level of the user.
As a quick summary:
1) A code exploit was discovered and reported to Cisco within CSD and Anyconnect software.
2) Cisco patched the software and released new version with the fix - June/July 2012
3) Cisco removed the vulnerable versions from cisco.com - June/July 2012
4) Cisco has asked Microsoft and Oracle to push the "kill bits" for the applets that are vulnerable
5) It is expected that Microsoft on Sept 11 2012 will be pushing the "kill bit" (patch Tuesday) with KB2736233
6) It is expected that Oracle will be pushing the equivilant "java hash" in a future update
After receiving the "kill bit" update from Oracle or Microsoft the end user will no longer be able to use web-start to initiate the vpn connection. The end user will see the following screens from within the browser.
a) Sample screen shot in Internet Explorer (ActiveX applet)
Note: User will not see the capability to let the applet run, as it has be denied due to kill-bit. After ActiveX fails the browser will try to run Java.
b) Sample screen shot of Java Applet
Users will just start seeing these error messages after their system has had the security updates applied from Microsoft and/or Oracle.
So the good news is this is easy to fix:
All the vulerenable versions of AnyConnect and CSD have already been removed from Cisco.com. As a result if you just download a current version from the website it will have the fix in it.
Generally it is a good idea to stick with the same version that you are running so if you are current running:
Anyconnect 2.5.xxxx upgrade to 2.5.6005 or later
Anyconnect 3.0.xxxx upgrade to 3.0.10055 or later
Alternatively you could upgrade to the latest 3.1 version.
For CSD upgrade to Cisco Secure Desktop 3.6.6020 or later.
Dear Expertsi have a currently FMC 750 managing FP 7110 , i want to migrate to FMC 1600 but the migration guide has no documentation to such model becz FM750 replacement is FMC 1000 and currently fmc1000 is also end of sale and replacement is FMC 1600,&nb...
Hi All- I have an ISE 2.7 cluster - two admin nodes and three PSNs. I have an AD External Identity Source that I use for computer based EAP-TLS authentication. We currently have about 10 domain controllers, several of whi...
Hi All,I currently have my ASA configured to authenticate against a RADIUS server for remote access VPN. The RADIUS server is setting the 'Class' attribute with a list of the users groups and I'd like to configure dynamic access policies using this inform...
Can you have a permit command set to allow a help-desk user to shut/no shut a particular interface or a limited range of interfaces on a switch without giving them access to the entire conf t command. What would the cmd and argument look like?