Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
16577
Views
40
Helpful
4
Comments

Anyconnect/CSD fails to web-launch on/after Sept 11 2012 (KB2736233)

Jay Young
Cisco Employee
Cisco Employee

on ‎09-06-2012 10:05 AM

Earlier this summer Cisco release the following security advisory for Anyconnect and CSD.  The advisory warns of an exploit within the ActiveX and Java applet that are used to web-deploy Anyconnect and CSD.  The exploit allows for abitrary code execution that will run at the priviledge level of the user.

As a quick summary:

1)  A code exploit was discovered and reported to Cisco within CSD and Anyconnect software.

2)  Cisco patched the software and released new version with the fix - June/July 2012

3)  Cisco removed the vulnerable versions from cisco.com - June/July 2012

4)  Cisco has asked Microsoft and Oracle to push the "kill bits" for the applets that are vulnerable

5)  It is expected that Microsoft on Sept 11 2012 will be pushing the "kill bit" (patch Tuesday) with KB2736233

6)  It is expected that Oracle will be pushing the equivilant "java hash" in a future update

Symptoms:

After receiving the "kill bit" update from Oracle or Microsoft the end user will no longer be able to use web-start to initiate the vpn connection.  The end user will see the following screens from within the browser.

a)  Sample screen shot in Internet Explorer (ActiveX applet)

     Note: User will not see the capability to let the applet run, as it has be denied due to kill-bit.  After ActiveX fails the browser will try to run Java.

activeXfail.jpg

b) Sample screen shot of Java Applet

Javafail.jpg

Users will just start seeing these error messages after their system has had the security updates applied from Microsoft and/or Oracle.

Remediation:

So the good news is this is easy to fix:

All the vulerenable versions of AnyConnect and CSD have already been removed from Cisco.com.  As a result if you just download a current version from the website it will have the fix in it.

Generally it is a good idea to stick with the same version that you are running so if you are current running:

     Anyconnect 2.5.xxxx upgrade to 2.5.6005 or later

     Anyconnect 3.0.xxxx upgrade to 3.0.10055 or later

     Alternatively you could upgrade to the latest 3.1 version.

     For CSD upgrade to Cisco Secure Desktop 3.6.6020 or later.

Labels:
Comments
Javier Portuguez
Level 9
Level 9
‎09-07-2012 12:54 PM

Thanks much

juaherre
Level 1
Level 1
‎09-07-2012 01:38 PM

Thanks for the info I will share it with my co-workers.

jargueda
Level 1
Level 1
‎09-13-2012 08:26 AM

Thanks

Patrick Moubarak
Level 4
Level 4
‎10-04-2012 06:46 AM

Thanks Jay for this document. I had several customers suffering from this issue.

By the way, big fan of the TAC security podcasts.

https://supportforums.cisco.com/docs/DOC-12634

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents