PT-2012-4063 · Linux+3 · Linux+3
Published
2012-06-20
·
Updated
2012-08-22
·
CVE-2012-2493
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Cisco AnyConnect Secure Mobility Client versions 2.x through 2.5 MR5 on Windows
Cisco AnyConnect Secure Mobility Client versions 2.x through 2.5 MR5 on Mac OS X and Linux
Cisco AnyConnect Secure Mobility Client versions 3.x through 3.0 MR7 on Mac OS X and Linux
Description
The issue is related to the VPN downloader implementation in the WebLaunch feature, which does not properly validate received binaries. This allows remote attackers to execute arbitrary code via vectors involving ActiveX or Java components.
Recommendations
For Cisco AnyConnect Secure Mobility Client version 2.x on Windows, update to version 2.5 MR6 or later.
For Cisco AnyConnect Secure Mobility Client version 2.x on Mac OS X and Linux, update to version 2.5 MR6 or later.
For Cisco AnyConnect Secure Mobility Client version 3.x on Mac OS X and Linux, update to version 3.0 MR8 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cisco Anyconnect Secure Mobility Client
Linux
Macos X
Windows