A high severity vulnerability has been found in Cache Cleaner, a Cisco Secure Desktop component that was deprecated by the company more than two years ago. Cisco is not releasing patches because the product is no longer supported, but the company has provided a workaround.
The Cisco Secure Desktop suite provides additional security services for products such as Cisco ASA Software and Cisco IOS Software SSL VPN. Cache Cleaner and several other features were deprecated in November 2012 and customers have been advised to transition to the Cisco Host Scan standalone package.
Security researcher Jason Sinchak has discovered a command execution vulnerability (CVE-2015-0691) affecting a Cisco-signed Java Archive (JAR) executable included in Cache Cleaner.
Due to insufficient controls when executing this .jar file, a remote, unauthenticated attacker could run arbitrary commands on systems where the vulnerable file is executed. The commands initiated by the attacker would be executed with the privileges of the user.
An attacker can exploit the vulnerability by tricking the targeted user into visiting a malicious website that is set up to serve a specially crafted package containing a vulnerable .jar file and other malicious executables, Cisco said in an advisory.
“Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop,” Cisco has warned.
The vulnerability has been assigned a CVSS score of 9.1 by Cisco, but organizations can also compute scores to determine the impact in their own networks.
While Cisco will not be releasing security updates to address the issue, the company has published SHA-1 hashes for the affected .jar file to allow users to blacklist it. With the release of Java SE 8 Update 45, the file will be blacklisted by default.
“Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation,” Cisco said.
The company has also released an advisory to warn users about a denial-of-service (DoS) vulnerability in the packet-processing code of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers (ASR). A malicious actor can exploit this security hole to cause a DoS condition only on devices configured to route packets through the bridge-group virtual interface (BVI).
