10-23-2012 10:06 PM - edited 02-21-2020 06:25 PM
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac
We have 3.05080 and it is included in the unsafe versions according to that link, but people in control do not want to upgrade again because the upgrade process is very expensive and time consuming requiring technicians to visit many satellite offices. The users are unable to install the client software themselves because they do not have the required admin rights to install the Cisco client.
It was a several weeks long process to get upgraded for 2.x to 3.0 and they are not interested in doing this again so soon. I think they had their versions of 2.x for at least 5 years and do not do upgrades lightly.
How serious is the security issue in the link above and is there documentation/news reports showing that it is being actually being exploited in the wild rather than being a hypothetical exploit?
What can be done to prevent the possibility of the exploit being take advantage of when the Cisco client is not upgraded to the latest version?
10-24-2012 09:18 AM
Hi,
Your specific AnyConnect version is not longer available on CCO:
Cisco AnyConnect Secure Mobility Client
The available releases for 3.0 are:
3.0.10057
3.0.10055
3.0.08057
I would recommend to upgrade to the latest version in order to avoid any known / published vulnerability.
HTH.
Portu.
Please rate any helpful posts
10-24-2012 11:01 AM
I would prefer that they upgrade also, but they do not want to because it will be very costly to do so as I mentioned earlier and they have already downloaded and saved the other version, so they will keep deploying it even though it is not available in CCO.
They would like to see either workarounds to safely use the version they have or documented reports of this specific exploit vulnerability being used in the wild so the upgrade can be financially justified.
10-24-2012 11:06 AM
The workarounds are documented in the report:
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Vulnerability | Platform | First Fixed Release |
---|---|---|
Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability | Microsoft Windows | 2.5 MR6 (2.5.6005) |
Linux, Apple Mac OS X | 2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057) | |
Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability | Microsoft Windows | 2.5 MR6 (2.5.6005), 3.0 MR8 (3.0.08057) |
Linux, Apple Mac OS X | 2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057) | |
Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability | Microsoft Windows |
|
Linux, Apple Mac OS X |
| |
Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability | Microsoft Windows | Not affected |
Linux 64-bit | 3.0 MR7 (3.0.7059) | |
Cisco Secure Desktop Arbitrary Code Execution Vulnerability | Microsoft Windows, Linux, Apple Mac OS X | Cisco Secure Desktop 3.6.6020 |
Software Name | Major Release | Recommended Release |
---|---|---|
Cisco AnyConnect Secure Mobility Client | 2.5.x | 2.5 MR6 (2.5.6005) |
Cisco AnyConnect Secure Mobility Client | 3.0.x | 3.0 MR8 (3.0.08057) |
Hostscan | 3.0.x | 3.0 MR8 (3.0.08062) |
Cisco Secure Desktop | 3.x | 3.6.6020 |
In most cases an AnyConnect upgrade is mandatory, in other cases upgrading third-party software is the key.
Thanks.
HTH.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide