Cisco warned customers Wednesday of several vulnerabilities in its AnyConnect Secure Mobility virtual private network (VPN) client, claiming that if not patched, the VPN software could be exploited by a remote attacker.

The holes are present in versions of Cisco’s VPN client for Microsoft’s Windows as well as the Linux and Apple OS X systems. Apple’s iOS, Google’s Android and Cisco’s Cius platforms are not affected, according to the alert yesterday.

The VPN software can be deployed through the web or as desktop software by end-users. In a malicious attack against the web-based version, the AnyConnect client could be tricked into thinking certain sites are trustworthy and potentially get an unsuspecting user to download a malicious component, according to the advisory.

Since they are all exploited by the software’s update mechanism, all versions of the client are vulnerable, including those deployed on the Web. The arbitrary code execution vulnerability could allow an attacker to remotely execute code on systems via ActiveX or Java, both of which help run the web-version of Cisco’s VPN client.

The software downgrade vulnerability could allow an attacker to downgrade the VPN client to an older version and then exploit previously patched holes.

Cisco’s Product Security Incident Response Team (PSIRT) offers further information on the vulnerabilities, including software updates that address the flaws, along with several workarounds on the Security Advisory section of the company’s site.

The company also announced yesterday it patched an IP address overlap hole in its Application Control Engine (ACE) software. The flaw could have been exploited if two ACE modules were simultaneously run in multicontext mode with the same management IP address. Updates, as usual for Cisco products, are available via the company’s Software Navigator interface.

Categories: Vulnerabilities, Web Security

Comment (1)

  1. Anonymous

    I wonder how many other vendors have this same problem with their SSL VPN software.

    Seems like the web feature is risky in general.

Comments are closed.