05-11-2012 01:40 AM
We have a Cisco ASA 5510 with Clientless SSL VPN portal. I just found that after installing the last Microsoft Updates, RDP bookmarks stopped working. It keeps asking that I should install Cisco Portforwarder control, and then goes back to the home page. I changed all security settings, tried to install the control manually, but nothing works. Finally, I found that after uninstalling Internet Explorer 8 update KB2675157 it works again.
Is this a known problem?
I just tested it on Windows XP with IE 8, I don't know if the problem happens in other platforms.
Solved! Go to Solution.
05-15-2012 11:45 AM
Good Afternoon,
The issue you are running into is not caused by KB2675157. This behavior was deliberately introduced by KB
2695962.
As documented in:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient
The Cisco PSIRT asked Microsoft to set the Global Kill-Bit for the Cisco ActiveX Port Forwarder control on March 14th, 2012. Microsoft pushed the kill-bit for the vulnerable control in the May, 2012 Microsoft Tuesday patch bundle (May 8th, 2012).
Customers should upgrade to one of the Recommended or Later releases as listed bellow. The Recommended releases include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability as well as those disclosed in the ASA Client advisory.
Affected Version | First Fixed Release | Recommended Release |
Cisco ASA 7.0 | Not Vulnerable | Migrate to 7.2 or later |
Cisco ASA 7.1 | Vulnerable | Vulnerable; Migrate to 7.2 or later |
Cisco ASA 7.2 | 7.2(5.6) | 7.2(5.7) |
Cisco ASA 8.0 | 8.0(5.26) | Migrate to 8.2(5.26) or later |
Cisco ASA 8.1 | 8.1(2.53) | Migrate to 8.2(5.26) or later |
Cisco ASA 8.2 | 8.2(5.18) | 8.2(5.26) |
Cisco ASA 8.3 | 8.3(2.28) | Migrate to 8.4(3.8) or later |
Cisco ASA 8.4 | 8.4(2.16) | 8.4(3.8) |
Cisco ASA 8.5 | Not Vulnerable | 8.5(1.7) |
Cisco ASA 8.6 | 8.6(1.1) | 8.6(1.1) |
Once the affected control has been upgraded by starting a Clientless VPN session on an ASA that contains fixed software, it will be used in all sessions. This including those with ASA devices that may not be running the updated software.
Cheers,
-Troy
05-11-2012 05:01 AM
Ok, I found it. The problem is not KB2675157, but kb2695962 (both are uninstalled when you delete KB2675157)
Here is the explanation from microsoft http://technet.microsoft.com/en-us/security/advisory/2695962 and here the solution from Cisco http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient
In my case I have ASA 8.4(2) so I should upgrade.
05-12-2012 08:03 AM
Having the same problem, since the update is from MAY and the Cisco fix from MARCH i guess they wont work.
i updated to the latest 8.3.4 - did not make a difference - problem is still there.
And yeah, its the Active X Killbit update from 8th of May. ONce its uninstalled, RDP works fine (with ActiveX)
RDP session with java is not affected
I assume your update did not carry the expected result?
-Markus-
FIXED
ASA Interim Release 8.4.3.9 fixed all RDP ActiveX Problems
05-13-2012 10:19 PM
Great! users were complaining about this from last week! Thanks for the explanation
05-14-2012 05:01 AM
I just updated to 8.3.4 and it works ok. When I tried to open the RDP bookmark from I.Explorer it asked to install the Cisco Portforwarder complement, I did it and when I tried to open it again it connected ok, then I installed the Windows Updates again and it keeps working. It still doesn't work for you?
05-14-2012 12:27 PM
We had to manually remove the CISCO Portforwarder Control manually because it did not appear to be cleaning the old one out. We are running 8.2 code though on a 5580.
05-15-2012 11:45 AM
Good Afternoon,
The issue you are running into is not caused by KB2675157. This behavior was deliberately introduced by KB
2695962.
As documented in:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient
The Cisco PSIRT asked Microsoft to set the Global Kill-Bit for the Cisco ActiveX Port Forwarder control on March 14th, 2012. Microsoft pushed the kill-bit for the vulnerable control in the May, 2012 Microsoft Tuesday patch bundle (May 8th, 2012).
Customers should upgrade to one of the Recommended or Later releases as listed bellow. The Recommended releases include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability as well as those disclosed in the ASA Client advisory.
Affected Version | First Fixed Release | Recommended Release |
Cisco ASA 7.0 | Not Vulnerable | Migrate to 7.2 or later |
Cisco ASA 7.1 | Vulnerable | Vulnerable; Migrate to 7.2 or later |
Cisco ASA 7.2 | 7.2(5.6) | 7.2(5.7) |
Cisco ASA 8.0 | 8.0(5.26) | Migrate to 8.2(5.26) or later |
Cisco ASA 8.1 | 8.1(2.53) | Migrate to 8.2(5.26) or later |
Cisco ASA 8.2 | 8.2(5.18) | 8.2(5.26) |
Cisco ASA 8.3 | 8.3(2.28) | Migrate to 8.4(3.8) or later |
Cisco ASA 8.4 | 8.4(2.16) | 8.4(3.8) |
Cisco ASA 8.5 | Not Vulnerable | 8.5(1.7) |
Cisco ASA 8.6 | 8.6(1.1) | 8.6(1.1) |
Once the affected control has been upgraded by starting a Clientless VPN session on an ASA that contains fixed software, it will be used in all sessions. This including those with ASA devices that may not be running the updated software.
Cheers,
-Troy
05-22-2012 06:18 AM
ASA Interim Release 8.4.(3.9) fixed all my RDP ActiveX issues i had after the MS update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide