Solved: After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

mariavilaro · ‎05-11-2012

We have a Cisco ASA 5510 with Clientless SSL VPN portal. I just found that after installing the last Microsoft Updates, RDP bookmarks stopped working. It keeps asking that I should install Cisco Portforwarder control, and then goes back to the home page. I changed all security settings, tried to install the control manually, but nothing works. Finally, I found that after uninstalling Internet Explorer 8 update KB2675157 it works again.

Is this a known problem?

I just tested it on Windows XP with IE 8, I don't know if the problem happens in other platforms.

trfridle · ‎05-15-2012

Good Afternoon,

The issue you are running into is not caused by KB2675157. This behavior was deliberately introduced by KB

2695962.

As documented in:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient

The Cisco PSIRT asked Microsoft to set the Global Kill-Bit for the Cisco ActiveX Port Forwarder control on March 14th, 2012. Microsoft pushed the kill-bit for the vulnerable control in the May, 2012 Microsoft Tuesday patch bundle (May 8th, 2012).

Customers should upgrade to one of the Recommended or Later releases as listed bellow. The Recommended releases include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability as well as those disclosed in the ASA Client advisory.

Affected Version	First Fixed Release	Recommended Release
Cisco ASA 7.0	Not Vulnerable	Migrate to 7.2 or later
Cisco ASA 7.1	Vulnerable	Vulnerable; Migrate to 7.2 or later
Cisco ASA 7.2	7.2(5.6)	7.2(5.7)
Cisco ASA 8.0	8.0(5.26)	Migrate to 8.2(5.26) or later
Cisco ASA 8.1	8.1(2.53)	Migrate to 8.2(5.26) or later
Cisco ASA 8.2	8.2(5.18)	8.2(5.26)
Cisco ASA 8.3	8.3(2.28)	Migrate to 8.4(3.8) or later
Cisco ASA 8.4	8.4(2.16)	8.4(3.8)
Cisco ASA 8.5	Not Vulnerable	8.5(1.7)
Cisco ASA 8.6	8.6(1.1)	8.6(1.1)

Once the affected control has been upgraded by starting a Clientless VPN session on an ASA that contains fixed software, it will be used in all sessions. This including those with ASA devices that may not be running the updated software.

Cheers,

-Troy

View solution in original post

mariavilaro · ‎05-11-2012

Ok, I found it. The problem is not KB2675157, but kb2695962 (both are uninstalled when you delete KB2675157)

Here is the explanation from microsoft http://technet.microsoft.com/en-us/security/advisory/2695962 and here the solution from Cisco http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient

In my case I have ASA 8.4(2) so I should upgrade.

Michael Braun · ‎05-12-2012

Having the same problem, since the update is from MAY and the Cisco fix from MARCH i guess they wont work.

i updated to the latest 8.3.4 - did not make a difference - problem is still there.

And yeah, its the Active X Killbit update from 8th of May. ONce its uninstalled, RDP works fine (with ActiveX)

RDP session with java is not affected

I assume your update did not carry the expected result?

-Markus-

FIXED

ASA Interim Release 8.4.3.9 fixed all RDP ActiveX Problems

jyothydas · ‎05-13-2012

Great! users were complaining about this from last week! Thanks for the explanation

mariavilaro · ‎05-14-2012

I just updated to 8.3.4 and it works ok. When I tried to open the RDP bookmark from I.Explorer it asked to install the Cisco Portforwarder complement, I did it and when I tried to open it again it connected ok, then I installed the Windows Updates again and it keeps working. It still doesn't work for you?

jtennant · ‎05-14-2012

We had to manually remove the CISCO Portforwarder Control manually because it did not appear to be cleaning the old one out. We are running 8.2 code though on a 5580.

trfridle · ‎05-15-2012