Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an unauthenticated, remote attacker to conduct man-in-the-middle attacks.
The vulnerability exists because the affected software does not perform certificate name checking in an X.509 certificate when the software is configured to use IPsec. An unauthenticated, remote attacker could convince a user to visit a malicious website using a certificate that may be displayed as valid for a legitimate site. If successful, the attacker could impersonate trusted servers, which an attacker could use to launch further attacks.
Cisco has confirmed this vulnerability and released software updates.
Exploits of this vulnerability may require user interaction. An attacker could convince a user to visit a malicious website using a certificate that may be displayed as valid for a legitimate site. In addition, the user must be connected via the Cisco AnyConnect Secure Mobility Client using IPsec for an attacker to have an attack vector to exploit this vulnerability.
It is likely that an attacker would need access to an internal, private network to submit crafted X.509 certificates. This requirement may limit the possibility of a potential attack.
Cisco indicates through the CVSS score that proof-of-concept exploit code exists; however, the code is not known to be publicly available.