You are here

T-635: Cisco AnyConnect Secure Mobility Client Lets Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges

June 2, 2011 - 4:38pm

Addthis

PROBLEM:

The Cisco AnyConnect Secure Mobility Client is the Cisco next-generation VPN client, which provides remote users with secure IPsec (IKEv2) or SSL Virtual Private Network (VPN) connections to Cisco 5500 Series Adaptive Security Appliances (ASA) and devices that are running Cisco IOS Software.

PLATFORM:

Cisco AnyConnect Secure Mobility Client Platform & Affected Versions

ABSTRACT:

Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability exists due to improper validation of program executables downloaded by the Cisco AnyConnect Secure Mobility Client. An unauthenticated, remote attacker could exploit the vulnerability by convincing the targeted user to view a malicious website. If successful, the attacker could execute arbitrary code on the system with the privileges of the user. Cisco confirmed the vulnerability in a security advisory and released software updates.

reference LINKS:

Cisco Security Advisory
Cisco Security Advisories and Notices
SecurityTracker Alert ID: 1025591 (CVE-2011-2039, CVE-2011-2040, and CVE-2011-2041)

IMPACT ASSESSMENT:

High

Discussion:

The Cisco AnyConnect Secure Mobility Client can be deployed to remote users from the VPN headend, or it can be installed before the endpoint connects to the VPN headend, a process known as pre-deployment. When the Cisco AnyConnect Secure Mobility Client is pre-deployed, the client software is installed and run like any other application.

When the Cisco AnyConnect Secure Mobility Client is deployed from the VPN headend, an SSL connection is initiated to the VPN headend using a web browser. After the user logs in, the browser displays a portal window and when the user clicks the "Start AnyConnect" link, the process of downloading the Cisco AnyConnect Secure Mobility Client begins. This action causes the browser to first download a "helper" application that aids in downloading and executing the actual Cisco AnyConnect Secure Mobility Client. The helper application is a Java applet on the Linux and MacOS X platforms, and either a Java applet on the Windows platform or an ActiveX control if the browser is capable of utilizing ActiveX controls. The downloaded helper application is executed in the context of the originating site in the user's web browser. The helper application then downloads the Cisco AnyConnect Secure Mobility Client from the VPN headend and executes it.

The helper application fails to properly validate the authenticity of the downloaded Cisco AnyConnect Secure Mobility Client executable when the client is deployed from the VPN headend. An attacker could create a malicious web page that looks like the normal VPN web login page and entice a user, through social engineering or exploitation of other vulnerabilities, to visit it. This would allow the attacker to supply an arbitrary executable that the helper application would download and execute on the machine of the affected user. This arbitrary executable would be executed with the same operating system privileges under which the web browser was run.

Fixed versions of the Cisco AnyConnect Secure Mobility Client use code signing to validate the authenticity of components downloaded from the VPN headend.

This vulnerability is documented in Cisco Bug ID CSCsy00904 ( registered customers only) for Cisco AnyConnect Secure Mobility Client on the Microsoft Windows platform, and in Cisco Bug ID CSCsy05934 ( registered customers only) for Cisco AnyConnect Secure Mobility Client on the Linux and Apple MacOS X platforms. Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-2039 (for CSCsy00904) and CVE-2011-2040 (for CSCsy05934) have been assigned for these vulnerabilities.

Solution:

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Addthis