PROBLEM:
Two vulnerabilities have been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious people to compromise a user's system.
PLATFORM:
Cisco AnyConnect VPN Client 2.x
Cisco AnyConnect VPN Client 3.x
ABSTRACT:
The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities:
- Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability
- Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability
- Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop HostScan Downloader Software Downgrade Vulnerability
- Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability
reference LINKS:
Vendor Advisory
Secunia ID 49645
CVE-2012-2493, CVE-2012-2494, CVE-2012-2495, CVE-2012-2496
IMPACT ASSESSMENT:
High
Discussion:
- An error within the VPN Downloader update mechanism does not properly authenticate the validity of downloaded executables and can be exploited to download and execute an arbitrary program.
- An error within the 64-bit Java VPN Downloader update mechanism does not properly authenticate the validity of downloaded executables and can be exploited to download and execute an arbitrary program.
Impact:
System access from remote
Solution:
The vendor has issued a fix; Upgrade to appropriate version.