CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
98.4%
The Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Cisco AnyConnect is an SSL VPN solution that is commonly initiated through use of a web browser. When Internet Explorer is used, the AnyConnect VPN server provides an ActiveX control that downloads and installs the AnyConnect client software. When any other browser is used, the AnyConnect VPN server provides a signed Java applet to perform that same functionality. Both the ActiveX and Java versions of the AnyConnect VPN web control fail to validate the origin of the downloaded vpndownloader.exe
file before executing it.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.
Apply an update
This issue has been addressed in version 2.3.185 of the AnyConnect ActiveX control. Cisco recommends use of version 2.5.3041 or later 2.5.x versions or 3.0.1047 or later 3.0.x versions. Please see the Cisco Security Advisory for more details. Note that although Cisco has addressed the vulnerability in the Java applet version of the AnyConnect web control, this does not provide any protection to client systems due to security limitations in the Java platform. Also note that Cisco has confirmed that the Windows Mobile version of AnyConnect is vulnerable, but no fixed versions are planned. We recommend the following workarounds:
Disable the Cisco AnyConnect VPN Client ActiveX control in Internet Explorer
The vulnerable Cisco AnyConnect VPN Client ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
{``55963676-2F5E-4BAF-AC28-CF26AA587566``}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG
file and imported to set the kill bit for this control:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{``55963676-2F5E-4BAF-AC28-CF26AA587566``}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{``55963676-2F5E-4BAF-AC28-CF26AA587566``}]
"Compatibility Flags"=dword:00000400
Remove the Cisco AnyConnect VPN Java applet
In the Java Control Panel item, click the βViewβ button in the βTemporary Internet Filesβ section. This will show resources that Java has downloaded. Remove any reference to VPNJava.jar
or vpndownloader.exe
. This will help prevent an attacker from utilizing an already-downloaded vulnerable version of the Java version of the AnyConnect web control.
Disable the vulnerable Cisco AnyConnect VPN Java applets
Java has the ability to disable specific versions of signed applets starting with JRE version 6u14. To block vulnerable versions of the Cisco AnyConnect Java applet, add the following entries to the Java blacklist file:
# 2.3.0254, 2.3.1003, 2.3.2016, 2.4.0202, 2.4.1012,
# 2.5.0217, 2.5.1025, 2.5.2001, 2.5.2006, 2.5.2010,
# 2.5.2011, 2.5.2014, 2.5.2017, 2.5.2018, 2.5.2019
SHA1-Digest-Manifest : xmarT5s8kwnKRLxnCOoLUnxnveE=
# 2.2.0133, 2.2.0136, 2.2.0140
SHA1-Digest-Manifest : 2wXAWNws4uNdCioU1eoCOS4+J3o=
# 2.0.0343, 2.1.0148
SHA1-Digest-Manifest : OlNnvozFCxbJZbRfGiLckOE8uFQ=
Note that blacklist entries should go in the user-level blacklist file. System-level blacklist entries may be overwritten with JRE updates.
Remove Cisco Systems, Inc. from the list of trusted Java certificates
In the Java Control Panel item, click the βSecurityβ tab and then the βCertificatesβ button. Delete any certificates from βCisco Systems, Inc.β in the Trusted Certificates list.
When prompting to run a signed Java applet, the Java runtime will pre-select an option called βAlways trust content from this publisher.β If this option remains enabled, then any Java applet that has been signed by the same publisher will execute without any user interaction. In this case, if a user has at any point allowed any signed Java applet from Cisco Systems Inc. to execute, and the user has not deselected the βAlways trust content from this publisherβ checkbox, then an attacker can use a vulnerable Java version of the AnyConnect web control and exploit it to achieve code execution. Removing the certificate from the Trusted Certificates list will cause Java to prompt the user before it executes. If any signed Java applet is executed, the user should deselect βAlways trust content from this publisher.β For more details, please see: CERT/CC Blog: Signed Java Applet Security: Worse than ActiveX?
Use the stand-alone Cisco AnyConnect VPN client
Vulnerabilities in the ActiveX and Java versions of Cisco AnyConnect can be avoided by using the stand-alone Cisco AnyConnect VPN Client. The stand-alone client is provided by Cisco AnyConnect if the ActiveX and Java techniques fail or if the above mitigations are in place. Rather than initiating the VPN connection through a web browser, using the stand-alone Cisco AnyConnect VPN Client will help minimize the attack surface of the Cisco AnyConnect VPN product.
490097
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 03, 2011 Updated: June 07, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 08, 2011 Updated: June 08, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 10, 2011 Updated: June 10, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by Elazar Broad through iDefense.
This document was written by Will Dormann.
CVE IDs: | CVE-2011-2039, CVE-2011-2040 |
---|---|
Severity Metric: | 60.75 Date Public: |