Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Users Warned of Serious Flaw in Deprecated Cisco Secure Desktop Feature

A high severity vulnerability has been found in Cache Cleaner, a Cisco Secure Desktop component that was deprecated by the company more than two years ago. Cisco is not releasing patches because the product is no longer supported, but the company has provided a workaround.

A high severity vulnerability has been found in Cache Cleaner, a Cisco Secure Desktop component that was deprecated by the company more than two years ago. Cisco is not releasing patches because the product is no longer supported, but the company has provided a workaround.

The Cisco Secure Desktop suite provides additional security services for products such as Cisco ASA Software and Cisco IOS Software SSL VPN. Cache Cleaner and several other features were deprecated in November 2012 and customers have been advised to transition to the Cisco Host Scan standalone package.

Security researcher Jason Sinchak has discovered a command execution vulnerability (CVE-2015-0691) affecting a Cisco-signed Java Archive (JAR) executable included in Cache Cleaner.

Due to insufficient controls when executing this .jar file, a remote, unauthenticated attacker could run arbitrary commands on systems where the vulnerable file is executed. The commands initiated by the attacker would be executed with the privileges of the user.

An attacker can exploit the vulnerability by tricking the targeted user into visiting a malicious website that is set up to serve a specially crafted package containing a vulnerable .jar file and other malicious executables, Cisco said in an advisory.

“Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop,” Cisco has warned.

The vulnerability has been assigned a CVSS score of 9.1 by Cisco, but organizations can also compute scores to determine the impact in their own networks.

While Cisco will not be releasing security updates to address the issue, the company has published SHA-1 hashes for the affected .jar file to allow users to blacklist it. With the release of Java SE 8 Update 45, the file will be blacklisted by default.

Advertisement. Scroll to continue reading.

“Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation,” Cisco said.

The company has also released an advisory to warn users about a denial-of-service (DoS) vulnerability in the packet-processing code of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers (ASR). A malicious actor can exploit this security hole to cause a DoS condition only on devices configured to route packets through the bridge-group virtual interface (BVI).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.