Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability

A vulnerability in a Cisco-signed Java Archive (JAR)
executable Cache Cleaner component of Cisco Secure Desktop could allow an
unauthenticated, remote attacker to execute arbitrary commands on the
client host where the affected .jar file is executed. Command execution would
occur with the privileges of the user.

The Cache Cleaner feature has been deprecated since November 2012.

There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected .jar files have been removed and are no longer available for download.

Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation. Refer to the “Workarounds” section of this advisory for additional information on how to mitigate this vulnerability.

Customers using Cisco Secure Desktop should migrate to the Cisco Host Scan standalone package.

This advisory is available at the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd”]