Details of VAR-201206-0085

ID

VAR-201206-0085

CVE

CVE-2012-2493

TITLE

Cisco AnyConnect Secure Mobility Client Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2012-002810

DESCRIPTION

The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 on Windows, and 2.x before 2.5 MR6 and 3.x before 3.0 MR8 on Mac OS X and Linux, does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code via vectors involving (1) ActiveX or (2) Java components, aka Bug ID CSCtw47523. The problem is Bug ID CSCtw47523 It is a problem.A third party may execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco AnyConnect VPN Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists due to insufficient signature checks with the Cisco AnyConnect VPN Client. When the client is invoked through the ActiveX control it downloads and checks a file called vpndownloader.exe. This file has to be properly signed by Cisco. Once this file is downloaded it is run and downloads additional configuration files. Within the downloaded config file it is possible to force a download of executable files. Those files are not properly checked for valid certificates and are run on the host as soon as they are downloaded. The Cisco AnyConnect Secure Mobility Client is a Cisco Next-Generation VPN Client that provides remote IPsec (IKEv2) or SSL Virtual Private Network (VPN) connectivity to devices running Cisco IOS Software and Cisco 5500 Series Adaptive Security Appliances (ASA). This issue affects the VPN Downloader component. An attacker can exploit this issue by using social engineering techniques to coerce unsuspecting users to download and execute arbitrary applications. Failed exploit attempts will likely result in a denial-of-service condition. These issues are tracked by Cisco Bug IDs CSCtw47523 and CSCty45925. Cisco AnyConnect Secure Mobility is a secure enterprise mobility solution. Also known as Bug ID CSCtw47523. - -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco - -sa-20120620-ac - -- Disclosure Timeline: 2011-11-22 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUGKFVtgMGTo1scAQJBPAf9H07i4XSMxk4rQiyN2q+nbl3EtBX0Rl1e xAplYDC/F+HWp0ZZGEQC+PDyvkkgMqlOpYVNcgZr7jHfxH82Aon4cWY02qb5C5mZ HJZbQkd0tvIUANGrOC860lPgHXkQQEroOdwSXAC+AM/11UN+3wDPdM/FSXEnzndT mQxcSgj7e5TzubW6A9NI0iHj8v+Ci38hPxC2r0JbmR3VKcbcBHqfV9By5PYDogGx Hgq87lolCGF/+DG6JP9e6zeYtPPntpq0SPHNZ77Ew5Vr/9cARf0iZn41auS20pgW j0hZC4YsC5nsQwYkns7jYO3nf6e9Jq69k3BjdudkbVe7zgb3/986Jg== =pj7G -----END PGP SIGNATURE-----

Trust: 3.24

sources: NVD: CVE-2012-2493 // JVNDB: JVNDB-2012-002810 // ZDI: ZDI-12-156 // CNVD: CNVD-2012-3352 // BID: 54107 // VULHUB: VHN-55774 // PACKETSTORM: 115808

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2012-3352

AFFECTED PRODUCTS

vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5	Trust: 2.5
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0	Trust: 2.5
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.254	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.185	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.0202	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.3.2016	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.140	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.4.1012	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.136	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.1	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.0	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.133	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.2.128	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3041	Trust: 0.9
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5.3046	Trust: 0.9
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.629	Trust: 0.9
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0 mr8	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	2.5 mr6	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	lt	version:	2.x (windows	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	mac os x	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	lt	version:	3.x (mac os x	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	linux)	Trust: 0.8
vendor:	cisco	model:	anyconnect vpn client	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-12-156 // CNVD: CNVD-2012-3352 // BID: 54107 // JVNDB: JVNDB-2012-002810 // CNNVD: CNNVD-201206-373 // NVD: CVE-2012-2493

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-2493
value:	HIGH
Trust: 1.0
NVD:	CVE-2012-2493
value:	HIGH
Trust: 0.8
ZDI:	CVE-2012-2493
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-201206-373
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-55774
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2012-2493
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2012-2493
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
VULHUB:	VHN-55774
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-12-156 // VULHUB: VHN-55774 // JVNDB: JVNDB-2012-002810 // CNNVD: CNNVD-201206-373 // NVD: CVE-2012-2493

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-55774 // JVNDB: JVNDB-2012-002810 // NVD: CVE-2012-2493

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 115808 // CNNVD: CNNVD-201206-373

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201206-373

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-002810

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-55774

PATCH

title:	cisco-sa-20120620-ac	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac	Trust: 0.8
title:	26196	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=26196	Trust: 0.8
title:	Update Rollup for ActiveX Kill Bits (2736233)	url:	http://technet.microsoft.com/en-us/security/advisory/2736233	Trust: 0.8
title:	Java SE Development Kit 7, Update 9 (JDK 7u9)	url:	http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.html	Trust: 0.8
title:	Java SE Development Kit 6, Update 37 (JDK 6u37)	url:	http://www.oracle.com/technetwork/java/javase/6u37-relnotes-1863283.html	Trust: 0.8
title:	cisco-sa-20120620-ac	url:	http://www.cisco.com/cisco/web/support/JP/111/1115/1115492_cisco-sa-20120620-ac-j.html	Trust: 0.8
title:	ActiveX の Kill Bit 更新プログラムのロールアップ (2736233)	url:	http://technet.microsoft.com/ja-jp/security/advisory/2736233	Trust: 0.8
title:	Cisco has issued an update to correct this vulnerability. -sa-20120620-ac	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco	Trust: 0.7
title:	Patch for Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability (CNVD-2012-3352)	url:	https://www.cnvd.org.cn/patchInfo/show/18302	Trust: 0.6

sources: ZDI: ZDI-12-156 // CNVD: CNVD-2012-3352 // JVNDB: JVNDB-2012-002810

EXTERNAL IDS

db:	NVD	id:	CVE-2012-2493	Trust: 4.2
db:	ZDI	id:	ZDI-12-156	Trust: 0.8
db:	JVNDB	id:	JVNDB-2012-002810	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-1411	Trust: 0.7
db:	CNNVD	id:	CNNVD-201206-373	Trust: 0.7
db:	CNVD	id:	CNVD-2012-3352	Trust: 0.6
db:	CISCO	id:	20120620 MULTIPLE VULNERABILITIES IN CISCO ANYCONNECT SECURE MOBILITY CLIENT	Trust: 0.6
db:	NSFOCUS	id:	19849	Trust: 0.6
db:	BID	id:	54107	Trust: 0.3
db:	PACKETSTORM	id:	115808	Trust: 0.2
db:	VULHUB	id:	VHN-55774	Trust: 0.1

sources: ZDI: ZDI-12-156 // CNVD: CNVD-2012-3352 // VULHUB: VHN-55774 // BID: 54107 // JVNDB: JVNDB-2012-002810 // PACKETSTORM: 115808 // CNNVD: CNNVD-201206-373 // NVD: CVE-2012-2493

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20120620-ac	Trust: 2.3
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2493	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-2493	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/19849	Trust: 0.6
url:	http://www.cisco.com	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/disclosure_policy/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-2493	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-12-156	Trust: 0.1
url:	http://twitter.com/thezdi	Trust: 0.1
url:	http://www.zerodayinitiative.com	Trust: 0.1

CREDITS

gwslabs.com

Trust: 0.7

sources: ZDI: ZDI-12-156

SOURCES

db:	ZDI	id:	ZDI-12-156
db:	CNVD	id:	CNVD-2012-3352
db:	VULHUB	id:	VHN-55774
db:	BID	id:	54107
db:	JVNDB	id:	JVNDB-2012-002810
db:	PACKETSTORM	id:	115808
db:	CNNVD	id:	CNNVD-201206-373
db:	NVD	id:	CVE-2012-2493

LAST UPDATE DATE

2025-04-11T22:56:15.857000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-12-156	date:	2012-08-22T00:00:00
db:	CNVD	id:	CNVD-2012-3352	date:	2012-06-28T00:00:00
db:	VULHUB	id:	VHN-55774	date:	2012-06-21T00:00:00
db:	BID	id:	54107	date:	2012-09-11T18:50:00
db:	JVNDB	id:	JVNDB-2012-002810	date:	2012-12-14T00:00:00
db:	CNNVD	id:	CNNVD-201206-373	date:	2012-06-27T00:00:00
db:	NVD	id:	CVE-2012-2493	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-12-156	date:	2012-08-22T00:00:00
db:	CNVD	id:	CNVD-2012-3352	date:	2012-06-28T00:00:00
db:	VULHUB	id:	VHN-55774	date:	2012-06-20T00:00:00
db:	BID	id:	54107	date:	2012-06-20T00:00:00
db:	JVNDB	id:	JVNDB-2012-002810	date:	2012-06-22T00:00:00
db:	PACKETSTORM	id:	115808	date:	2012-08-23T02:40:54
db:	CNNVD	id:	CNNVD-201206-373	date:	2012-06-21T00:00:00
db:	NVD	id:	CVE-2012-2493	date:	2012-06-20T20:55:02.137