Cisco AnyConnect Secure Mobility Client < 2.3.254 Multiple Vulnerabilities

high Nessus Plugin ID 54954

Synopsis

The VPN client installed on the remote Windows host has multiple vulnerabilities.

Description

The version of Cisco AnyConnect Secure Mobility Client installed on the remote host is earlier than 2.3.254 and may have the following vulnerabilities :

- When the client is obtained from the VPN headend using a web browser, a helper application performs the download and installation. This helper application does not verify the authenticity of the downloaded installer, which could allow an attacker to send malicious code to the user instead. Only versions prior to 2.3.185 are affected by this vulnerability. (CVE-2011-2039)

- Unprivileged users can elevate to LocalSystem privileges by enabling the Start Before Logon feature and performing unspecified actions with the Cisco AnyConnect Secure Mobility client interface in the Windows logon screen. (CVE-2011-2041)

Solution

Upgrade to version 2.3.254 or later.

See Also

http://www.nessus.org/u?6072ec79

http://www.nessus.org/u?07d085fe

Plugin Details

Severity: High

ID: 54954

File Name: cisco_anyconnect_vpn_2_3_254.nasl

Version: 1.16

Type: local

Agent: windows

Family: Windows

Published: 6/3/2011

Updated: 11/15/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:cisco:anyconnect_secure_mobility_client

Required KB Items: SMB/cisco_anyconnect/NumInstalled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/1/2011

Vulnerability Publication Date: 6/1/2011

Exploitable With

Metasploit (Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute)

Reference Information

CVE: CVE-2011-2039, CVE-2011-2041

BID: 48077, 48081

CERT: 490097

CISCO-SA: cisco-sa-20110601-ac

CISCO-BUG-ID: CSCsy00904, CSCta40556