Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
0
Helpful
3
Replies

Current Security Vulnerabilities In AnyConnect 3.0?

webabc123
Level 1
Level 1

‎10-23-2012 10:06 PM - edited ‎02-21-2020 06:25 PM

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

We have 3.05080 and it is included in the unsafe versions according to that link, but people in control do not want to upgrade again because the upgrade process is very expensive and time consuming requiring technicians to visit many satellite offices.  The users are unable to install the client software themselves because they do not have the required admin rights to install the Cisco client.

It was a several weeks long process to get upgraded for 2.x to 3.0 and they are not interested in doing this again so soon.  I think they had their versions of 2.x for at least 5 years and do not do upgrades lightly.

How serious is the security issue in the link above and is there documentation/news reports showing that it is being actually being exploited in the wild rather than being a hypothetical exploit?

What can be done to prevent the possibility of the exploit being take advantage of when the Cisco client is not upgraded to the latest version?

Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎10-24-2012 09:18 AM

Hi,

Your specific AnyConnect version is not longer available on CCO:

Cisco AnyConnect Secure Mobility Client

The available releases for 3.0 are:

3.0.10057

3.0.10055

3.0.08057

I would recommend to upgrade to the latest version in order to avoid any known / published vulnerability.

HTH.

Portu.

Please rate any helpful posts

0 Helpful

webabc123
Level 1
Level 1
In response to Javier Portuguez

‎10-24-2012 11:01 AM

I would prefer that they upgrade also, but they do not want to because it will be very costly to do so as I mentioned earlier and they have already downloaded and saved the other version, so they will keep deploying it even though it is not available in CCO.

They would like to see either workarounds to safely use the version they have or documented reports of this specific exploit vulnerability being used in the wild so the upgrade can be financially justified.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to webabc123

‎10-24-2012 11:06 AM

The workarounds are documented in the report:

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Vulnerability

Platform

First Fixed Release

Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability

Microsoft Windows

2.5 MR6 (2.5.6005)

Linux, Apple Mac OS X

2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057)

Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability

Microsoft Windows

2.5 MR6 (2.5.6005), 3.0 MR8 (3.0.08057)

Linux, Apple Mac OS X

2.5 MR6* (2.5.6005), 3.0 MR8 (3.0.08057)

Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop Hostscan Downloader Software Downgrade Vulnerability Microsoft Windows
  • AnyConnect 3.0 MR8 (3.0.08057)
  • Hostscan 3.0 MR8 (3.0.08062)
  • Cisco Secure Desktop 3.6.6020
Linux, Apple Mac OS X
  • AnyConnect 3.0 MR8 (3.0.08057)
  • Hostscan 3.0 MR8 (3.0.08062)
  • Cisco Secure Desktop 3.6.6020
Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability Microsoft Windows Not affected
Linux 64-bit 3.0 MR7 (3.0.7059)
Cisco Secure Desktop Arbitrary Code Execution VulnerabilityMicrosoft Windows, Linux, Apple Mac OS XCisco Secure Desktop 3.6.6020
* NOTE: Cisco AnyConnect Secure Mobility Client 2.5 MR6 for Mac OS X, which contains fixes for the VPN downloader vulnerabilities in this advisory, will no longer support OS X 10.4.

Recommended Releases

The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases.


Software Name

Major Release

Recommended Release
Cisco AnyConnect Secure Mobility Client

2.5.x

2.5 MR6 (2.5.6005)

Cisco AnyConnect Secure Mobility Client

3.0.x

3.0 MR8 (3.0.08057)

Hostscan3.0.x3.0 MR8 (3.0.08062)
Cisco Secure Desktop3.x3.6.6020

Top of the section     Close Section

Workarounds

Blacklists can be enforced manually, based on the instructions provided in the “Details” section, or by applying updates from Microsoft (2736233) or Oracle (Java SE 6 Update 37 and Java SE 7 Update 9) that include ActiveX CLSIDs or Java applet Message Digests. Anyone opting to enforce blacklists of the vulnerable ActiveX control CLSIDs and Java applet Message Digests can prevent the vulnerable code from instantiating. As a result, WebLaunch initiation of vulnerable software installation and upgrades will be prevented; however, pre-deployed software initiated through standalone methods and WebLaunch initiation of fixed software will continue to function.

In most cases an AnyConnect upgrade is mandatory, in other cases upgrading third-party software is the key.

Thanks.

HTH.

Portu.

0 Helpful
Customers Also Viewed These Support Documents