Cisco released free software updates to address multiple vulnerabilities in its AnyConnect Secure Mobility Client as well as other hardware security appliances including its ASA 5500 Series Adaptive Security Appliances.
The Cisco Systems Inc. VPN client – AnyConnect allows remote access and connects to Cisco products such as 5500 Series Adaptive Security Appliances (ASA) and devices that are running Cisco IOS Software.
One way admins install AnyConnect is through web-deploy. This web-deploy scenario can be initiated in two ways -- standalone initiation and WebLaunch initiation.
Usually, during a WebLaunch initiation, any end user system that visits a website which attempts to instantiate a downloader component will be prompted to install or upgrade Cisco AnyConnect Secure Mobility Client, the vendor explained.
But the vulnerability means an unauthenticated, remote attacker could execute arbitrary code on systems that have received the components that perform the WebLaunch functionality and supply vulnerable ActiveX or Java components for execution by an end user.
All affected versions of AnyConnect, regardless of how they were deployed onto end-user systems, are susceptible to exploitation, the vendor warned.
The security flaw is documented in Cisco Bug ID (CSCtw47523 - for registered users only) and has been assigned Common Vulnerability and Exposure (CVE) ID CVE-2012-2493.
More on vulnerability patches
VMware has released patches in June 2012 to fix security issues in its virtualisation products such as ESX, ESi, Workstation and Fusion.
In addition to the arbitrary code execution vulnerability, there are other security concerns affecting the VPN endpoint client. They are -- AnyConnect Secure Mobility Client VPN downloader software downgrade vulnerability, AnyConnect and Secure Desktop HostScan downloader software downgrade vulnerability, and 64-bit Java VPN downloader arbitrary code execution vulnerability
These vulnerabilities could allow the attacker to modify the Cisco VPN client installation and replace it with an arbitrary, older version of software (authorised by Cisco).
These actions could “expose the system to subsequent attacks against vulnerabilities found in older versions of Cisco AnyConnect Secure Mobility Client software,” the vendor said.
The security flaws can also affect systems that have never installed Cisco AnyConnect Secure Mobility Client, Cisco warned.
Meanwhile, the vendor has also released security patches for other products such as Cisco Application Control Engine (ACE) software, Cisco Catalyst 6500 Series ASA Services Module, and ASA 5500 Series Adaptive Security Appliances to address vulnerabilities that could allow an unauthenticated attacker to force systems to reboot.