Security Experts:

Cisco Addresses VPN Client Vulnerabilities

Cisco Addresses Code execution and DoS Vulnerabilities

Cisco has issued three security advisories that address vulnerabilities within Cisco ASA and ASASM, their AnyConnect Secure Mobility Client, and Application Control Engine (ACE). According to their warnings, Cisco says that the issues could lead to code execution in some cases, or denial of service in others.

The most important of the vulnerability warnings from Cisco likely centers on the AnyConnect Secure Mobility Client. Tens of thousands of people use this VPN client to access their corporate networks every hour of the day.

Cisco“The vulnerabilities described in this advisory all are exploited via the software update mechanisms used to perform WebLaunch-initiated web deployment. All affected versions of Cisco AnyConnect Secure Mobility Client, regardless of how they were deployed onto end-user systems, are susceptible to exploitation,” Cisco warned

“In addition, because the WebLaunch components are signed by Cisco and because of these vulnerabilities can allow for the arbitrary installation of malicious software, any end-user system that instantiates the vulnerable WebLaunch downloader components may be impacted, including systems that have never installed Cisco AnyConnect Secure Mobility Client.”

The first issue is related to code execution. According to the note, the ActiveX and Java components of the VPN client do not perform sufficient input validation. As a result, an attacker who tricked a user onto a malicious domain could exploit this face and execute the code with the privileges of the user's web browser session.

These same flaws also allow an attacker to deliver older versions of the VPN client, signed by Cisco, which could introduce vulnerabilities to the software that were not present at the time the victim visited the attackers domain. This software downgrade vulnerability also applies to HostScan Desktop.

In all three cases, Cisco has issued fixes. Customers need only deploy the latest packages to their remote clients. The ASA / ASASM and ACE vulnerability and mitigation details are here, and here, respectively. 

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.