Cisco AnyConnect SSL VPN arbitrary code execution

2011-06-0700:00:00

www.kb.cert.org

0.799 High

EPSS

Percentile

98.3%

JSON

Overview

The Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Cisco AnyConnect is an SSL VPN solution that is commonly initiated through use of a web browser. When Internet Explorer is used, the AnyConnect VPN server provides an ActiveX control that downloads and installs the AnyConnect client software. When any other browser is used, the AnyConnect VPN server provides a signed Java applet to perform that same functionality. Both the ActiveX and Java versions of the AnyConnect VPN web control fail to validate the origin of the downloaded vpndownloader.exe file before executing it.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

Solution

Apply an update

This issue has been addressed in version 2.3.185 of the AnyConnect ActiveX control. Cisco recommends use of version 2.5.3041 or later 2.5.x versions or 3.0.1047 or later 3.0.x versions. Please see the Cisco Security Advisory for more details. Note that although Cisco has addressed the vulnerability in the Java applet version of the AnyConnect web control, this does not provide any protection to client systems due to security limitations in the Java platform. Also note that Cisco has confirmed that the Windows Mobile version of AnyConnect is vulnerable, but no fixed versions are planned. We recommend the following workarounds:

Disable the Cisco AnyConnect VPN Client ActiveX control in Internet Explorer

The vulnerable Cisco AnyConnect VPN Client ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{``55963676-2F5E-4BAF-AC28-CF26AA587566``}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{``55963676-2F5E-4BAF-AC28-CF26AA587566``}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{``55963676-2F5E-4BAF-AC28-CF26AA587566``}]
"Compatibility Flags"=dword:00000400
Remove the Cisco AnyConnect VPN Java applet

In the Java Control Panel item, click the “View” button in the “Temporary Internet Files” section. This will show resources that Java has downloaded. Remove any reference to VPNJava.jar or vpndownloader.exe. This will help prevent an attacker from utilizing an already-downloaded vulnerable version of the Java version of the AnyConnect web control.

Disable the vulnerable Cisco AnyConnect VPN Java applets

Java has the ability to disable specific versions of signed applets starting with JRE version 6u14. To block vulnerable versions of the Cisco AnyConnect Java applet, add the following entries to the Java blacklist file:
# 2.3.0254, 2.3.1003, 2.3.2016, 2.4.0202, 2.4.1012,
# 2.5.0217, 2.5.1025, 2.5.2001, 2.5.2006, 2.5.2010,
# 2.5.2011, 2.5.2014, 2.5.2017, 2.5.2018, 2.5.2019
SHA1-Digest-Manifest : xmarT5s8kwnKRLxnCOoLUnxnveE=

# 2.2.0133, 2.2.0136, 2.2.0140
SHA1-Digest-Manifest : 2wXAWNws4uNdCioU1eoCOS4+J3o=

# 2.0.0343, 2.1.0148
SHA1-Digest-Manifest : OlNnvozFCxbJZbRfGiLckOE8uFQ=
Note that blacklist entries should go in the user-level blacklist file. System-level blacklist entries may be overwritten with JRE updates.

Remove Cisco Systems, Inc. from the list of trusted Java certificates

In the Java Control Panel item, click the “Security” tab and then the “Certificates” button. Delete any certificates from “Cisco Systems, Inc.” in the Trusted Certificates list.

When prompting to run a signed Java applet, the Java runtime will pre-select an option called “Always trust content from this publisher.” If this option remains enabled, then any Java applet that has been signed by the same publisher will execute without any user interaction. In this case, if a user has at any point allowed any signed Java applet from Cisco Systems Inc. to execute, and the user has not deselected the “Always trust content from this publisher” checkbox, then an attacker can use a vulnerable Java version of the AnyConnect web control and exploit it to achieve code execution. Removing the certificate from the Trusted Certificates list will cause Java to prompt the user before it executes. If any signed Java applet is executed, the user should deselect “Always trust content from this publisher.” For more details, please see: CERT/CC Blog: Signed Java Applet Security: Worse than ActiveX?

Use the stand-alone Cisco AnyConnect VPN client

Vulnerabilities in the ActiveX and Java versions of Cisco AnyConnect can be avoided by using the stand-alone Cisco AnyConnect VPN Client. The stand-alone client is provided by Cisco AnyConnect if the ActiveX and Java techniques fail or if the above mitigations are in place. Rather than initiating the VPN connection through a web browser, using the stand-alone Cisco AnyConnect VPN Client will help minimize the attack surface of the Cisco AnyConnect VPN product.