Cisco AnyConnect Secure Mobility Client 3.0 < 3.0 MR8 Multiple Vulnerabilities

2012-07-02T00:00:00
ID CISCO_ANYCONNECT_VPN_HOSTSCAN_DOWNGRADE.NASL
Type nessus
Reporter Tenable
Modified 2018-07-06T00:00:00

Description

The remote host has a version of Cisco AnyConnect < 3.0 MR8. Such versions are affected by the following vulnerabilities :

  • The HostScan VPN downloader implementation does not compare timestamps of offered software to install with currently installed software, which may allow remote attackers to downgrade the software via ActiveX or Java components. (CVE-2012-2495)

  • Man-in-the-middle attacks are possible even when the ASA is configured with a legitimate certificate. (CVE-2012-2498)

  • No certificate name checking is performed when using IPsec as the tunnel protocol, which could result in man-in-the-middle attacks. (CVE-2012-2499)

  • Certificate names are not verified during WebLaunch of IPsec, which could result in man-in-the-middle attacks. (CVE-2012-2500)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(59821);
  script_version("1.12");
  script_cvs_date("Date: 2018/07/06 11:26:08");

  script_cve_id(
    "CVE-2012-2495",
    "CVE-2012-2498",
    "CVE-2012-2499",
    "CVE-2012-2500"
  );
  script_bugtraq_id(54108, 54826, 54847);
  script_xref(name:"CISCO-BUG-ID", value:"CSCtx74235");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz26985");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz29197");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz29470");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20120620-ac");

  script_name(english:"Cisco AnyConnect Secure Mobility Client 3.0 &lt; 3.0 MR8 Multiple Vulnerabilities");
  script_summary(english:"Checks version of Cisco AnyConnect Client");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host has software installed that is affected by multiple
vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host has a version of Cisco AnyConnect &lt; 3.0 MR8.
Such versions are affected by the following vulnerabilities :

  - The HostScan VPN downloader implementation does not 
    compare timestamps of offered software to install
    with currently installed software, which may allow
    remote attackers to downgrade the software via ActiveX
    or Java components. (CVE-2012-2495)

  - Man-in-the-middle attacks are possible even when the
    ASA is configured with a legitimate certificate.
    (CVE-2012-2498)

  - No certificate name checking is performed when using
    IPsec as the tunnel protocol, which could result in
    man-in-the-middle attacks. (CVE-2012-2499)

  - Certificate names are not verified during WebLaunch
    of IPsec, which could result in man-in-the-middle
    attacks. (CVE-2012-2500)"
  );
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b0b6c065");
  # http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?86b883fe");
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade to Cisco AnyConnect Secure Mobility Client 3.0 MR8 or 
greater."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vuln_publication_date",value:"2012/06/20");
  script_set_attribute(attribute:"patch_publication_date",value:"2012/06/20");
  script_set_attribute(attribute:"plugin_publication_date",value:"2012/07/02");
  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:anyconnect_secure_mobility_client");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies('cisco_anyconnect_vpn_installed.nasl');
  script_require_keys('SMB/cisco_anyconnect/Installed');
  
  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('audit.inc');

appname = 'Cisco AnyConnect Mobility VPN Client';
kb_base = 'SMB/cisco_anyconnect/';
report = '';

num_installed = get_kb_item_or_exit(kb_base + 'NumInstalled');

for (install_num = 0; install_num &lt; num_installed; install_num++)
{
  path = get_kb_item_or_exit(kb_base + install_num + '/path');
  ver = get_kb_item_or_exit(kb_base + install_num + '/version');
  fix = '3.0.8057.0';
  
  if (ver =~ "^3\." && ver_compare(ver:ver, fix:fix) == -1)
  {
      report += 
        '\n  Path              : ' + path +
        '\n  Installed version : ' + ver +
        '\n  Fixed version     : ' + fix + '\n';
  }
}

if(report != '')
{
  if (report_verbosity &gt; 0)
    security_warning(port:get_kb_item('SMB/transport'), extra:report);
  else security_warning(get_kb_item('SMB/transport'));
  exit(0);
} 
else audit(AUDIT_INST_VER_NOT_VULN, appname);