VULNERABILITIES / FIXES - June 21, 2012
by Carol~ - 6/21/12 10:19 AM
Cisco AnyConnect VPN Client Two Vulnerabilities
Release Date : 2012-06-21
Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch
Software: Cisco AnyConnect VPN Client 2.x
Cisco AnyConnect VPN Client 3.x
Two vulnerabilities have been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious people to compromise a user's system.
1) An error within the VPN Downloader update mechanism does not properly authenticate the validity of downloaded executables and can be exploited to download and execute an arbitrary program.
2) An error within the 64-bit Java VPN Downloader update mechanism does not properly authenticate the validity of downloaded executables and can be exploited to download and execute an arbitrary program.
Please see the vendor's advisory for the list of affected versions.
Update to a fixed version.
Provided and/or discovered by:
The vendor credits gwslabs.com via ZDI.