Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Users Warned of Serious Flaw in Deprecated Cisco Secure Desktop Feature

A high severity vulnerability has been found in Cache Cleaner, a Cisco Secure Desktop component that was deprecated by the company more than two years ago. Cisco is not releasing patches because the product is no longer supported, but the company has provided a workaround.

A high severity vulnerability has been found in Cache Cleaner, a Cisco Secure Desktop component that was deprecated by the company more than two years ago. Cisco is not releasing patches because the product is no longer supported, but the company has provided a workaround.

The Cisco Secure Desktop suite provides additional security services for products such as Cisco ASA Software and Cisco IOS Software SSL VPN. Cache Cleaner and several other features were deprecated in November 2012 and customers have been advised to transition to the Cisco Host Scan standalone package.

Security researcher Jason Sinchak has discovered a command execution vulnerability (CVE-2015-0691) affecting a Cisco-signed Java Archive (JAR) executable included in Cache Cleaner.

Due to insufficient controls when executing this .jar file, a remote, unauthenticated attacker could run arbitrary commands on systems where the vulnerable file is executed. The commands initiated by the attacker would be executed with the privileges of the user.

An attacker can exploit the vulnerability by tricking the targeted user into visiting a malicious website that is set up to serve a specially crafted package containing a vulnerable .jar file and other malicious executables, Cisco said in an advisory.

“Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop,” Cisco has warned.

The vulnerability has been assigned a CVSS score of 9.1 by Cisco, but organizations can also compute scores to determine the impact in their own networks.

While Cisco will not be releasing security updates to address the issue, the company has published SHA-1 hashes for the affected .jar file to allow users to blacklist it. With the release of Java SE 8 Update 45, the file will be blacklisted by default.

Advertisement. Scroll to continue reading.

“Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation,” Cisco said.

The company has also released an advisory to warn users about a denial-of-service (DoS) vulnerability in the packet-processing code of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers (ASR). A malicious actor can exploit this security hole to cause a DoS condition only on devices configured to route packets through the bridge-group virtual interface (BVI).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

Network security policy management firm FireMon has appointed Alex Bender as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.