CVE-2010-3901

Name of the Vulnerable Software and Affected Versions OpenConnect versions prior to 2.25

Description The issue allows man-in-the-middle attackers to spoof arbitrary AnyConnect SSL VPN servers by presenting a crafted server certificate. This can happen in two scenarios: (1) when the certificate does not correspond to the server hostname, or (2) when the --cafile configuration option is missing.

Recommendations For versions prior to 2.25, update to version 2.25 or later to resolve the issue. As a temporary workaround, consider configuring the --cafile option to specify a trusted certificate authority file, and ensure that server certificates are properly validated against the server hostname.