Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.CISCO_ANYCONNECT_VPN_HOSTSCAN_DOWNGRADE.NASL
HistoryJul 02, 2012 - 12:00 a.m.

Cisco AnyConnect Secure Mobility Client 3.0 < 3.0 MR8 Multiple Vulnerabilities

2012-07-0200:00:00
This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
www.tenable.com
38

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.001

Percentile

48.8%

JSON

The remote host has a version of Cisco AnyConnect < 3.0 MR8.
Such versions are affected by the following vulnerabilities :

  • The HostScan VPN downloader implementation does not compare timestamps of offered software to install with currently installed software, which may allow remote attackers to downgrade the software via ActiveX or Java components. (CVE-2012-2495)

  • Man-in-the-middle attacks are possible even when the ASA is configured with a legitimate certificate.
    (CVE-2012-2498)

  • No certificate name checking is performed when using IPsec as the tunnel protocol, which could result in man-in-the-middle attacks. (CVE-2012-2499)

  • Certificate names are not verified during WebLaunch of IPsec, which could result in man-in-the-middle attacks. (CVE-2012-2500)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(59821);
  script_version("1.12");
  script_cvs_date("Date: 2018/07/06 11:26:08");

  script_cve_id(
    "CVE-2012-2495",
    "CVE-2012-2498",
    "CVE-2012-2499",
    "CVE-2012-2500"
  );
  script_bugtraq_id(54108, 54826, 54847);
  script_xref(name:"CISCO-BUG-ID", value:"CSCtx74235");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz26985");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz29197");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz29470");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20120620-ac");

  script_name(english:"Cisco AnyConnect Secure Mobility Client 3.0 < 3.0 MR8 Multiple Vulnerabilities");
  script_summary(english:"Checks version of Cisco AnyConnect Client");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host has software installed that is affected by multiple
vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host has a version of Cisco AnyConnect < 3.0 MR8.
Such versions are affected by the following vulnerabilities :

  - The HostScan VPN downloader implementation does not 
    compare timestamps of offered software to install
    with currently installed software, which may allow
    remote attackers to downgrade the software via ActiveX
    or Java components. (CVE-2012-2495)

  - Man-in-the-middle attacks are possible even when the
    ASA is configured with a legitimate certificate.
    (CVE-2012-2498)

  - No certificate name checking is performed when using
    IPsec as the tunnel protocol, which could result in
    man-in-the-middle attacks. (CVE-2012-2499)

  - Certificate names are not verified during WebLaunch
    of IPsec, which could result in man-in-the-middle
    attacks. (CVE-2012-2500)"
  );
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b0b6c065");
  # http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?86b883fe");
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade to Cisco AnyConnect Secure Mobility Client 3.0 MR8 or 
greater."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vuln_publication_date",value:"2012/06/20");
  script_set_attribute(attribute:"patch_publication_date",value:"2012/06/20");
  script_set_attribute(attribute:"plugin_publication_date",value:"2012/07/02");
  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:anyconnect_secure_mobility_client");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies('cisco_anyconnect_vpn_installed.nasl');
  script_require_keys('SMB/cisco_anyconnect/Installed');
  
  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('audit.inc');

appname = 'Cisco AnyConnect Mobility VPN Client';
kb_base = 'SMB/cisco_anyconnect/';
report = '';

num_installed = get_kb_item_or_exit(kb_base + 'NumInstalled');

for (install_num = 0; install_num < num_installed; install_num++)
{
  path = get_kb_item_or_exit(kb_base + install_num + '/path');
  ver = get_kb_item_or_exit(kb_base + install_num + '/version');
  fix = '3.0.8057.0';
  
  if (ver =~ "^3\." && ver_compare(ver:ver, fix:fix) == -1)
  {
      report += 
        '\n  Path              : ' + path +
        '\n  Installed version : ' + ver +
        '\n  Fixed version     : ' + fix + '\n';
  }
}

if(report != '')
{
  if (report_verbosity > 0)
    security_warning(port:get_kb_item('SMB/transport'), extra:report);
  else security_warning(get_kb_item('SMB/transport'));
  exit(0);
} 
else audit(AUDIT_INST_VER_NOT_VULN, appname);

Related

cisco 5
prion 4
cve 4
cvelist 4
nvd 4
nessus 4
openvas 2
securityvulns 1
cisco
cisco
Cisco AnyConnect Secure Mobility Client WebLaunch Session Hijack Vulnerability
2012-08-09 20:55:47
Cisco AnyConnect Secure Mobility Client IPsec Certificate Validation Vulnerability
2012-08-09 20:16:33
Cisco AnyConnect Secure Mobility Client Man-in-the-Middle Attack Vulnerability
2012-08-09 21:31:35
prion
prion
Information disclosure
2012-08-06 17:55:00
Code injection
2012-08-06 17:55:00
Authentication flaw
2012-08-06 17:55:00
cve
cve
CVE-2012-2499
2012-08-06 17:55:01
CVE-2012-2500
2012-08-06 17:55:01
CVE-2012-2498
2012-08-06 17:55:01
cvelist
cvelist
CVE-2012-2500
2012-08-06 17:00:00
CVE-2012-2499
2012-08-06 17:00:00
CVE-2012-2498
2012-08-06 17:00:00
nvd
nvd
CVE-2012-2500
2012-08-06 17:55:01
CVE-2012-2499
2012-08-06 17:55:01
CVE-2012-2495
2012-06-20 20:55:02
nessus
nessus
Cisco AnyConnect Secure Mobility Client 3.1 < 3.1(495) MiTM
2012-08-13 00:00:00
Mac OS X : Cisco AnyConnect Secure Mobility Client 3.1 < 3.1(495) MiTM
2012-08-13 00:00:00
MacOSX Cisco AnyConnect Secure Mobility Client Multiple Vulnerabilities
2012-07-02 00:00:00
openvas
openvas
Cisco Products ActiveX Control Multiple Vulnerabilities
2012-09-12 00:00:00
Cisco Products ActiveX Control Multiple Vulnerabilities
2012-09-12 00:00:00
securityvulns
securityvulns
Cisco AnyConnect Secure Mobility Client multiple security vulnerabilities
2012-08-27 00:00:00

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.001

Percentile

48.8%

JSON
Related for CISCO_ANYCONNECT_VPN_HOSTSCAN_DOWNGRADE.NASL
cisco5prion4cve4cvelist4nvd4nessus4openvas2securityvulns1