The Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Cisco AnyConnect is an SSL VPN solution that is commonly initiated through use of a web browser. When Internet Explorer is used, the AnyConnect VPN server provides an ActiveX control that downloads and installs the AnyConnect client software. When any other browser is used, the AnyConnect VPN server provides a signed Java applet to perform that same functionality. Both the ActiveX and Java versions of the AnyConnect VPN web control fail to validate the origin of the downloaded vpndownloader.exe file before executing it.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.
Apply an update
This issue has been addressed in version 2.3.185 of the AnyConnect ActiveX control. Cisco recommends use of version 2.5.3041 or later 2.5.x versions or 3.0.1047 or later 3.0.x versions. Please see the Cisco Security Advisory for more details. Note that although Cisco has addressed the vulnerability in the Java applet version of the AnyConnect web control, this does not provide any protection to client systems due to security limitations in the Java platform. Also note that Cisco has confirmed that the Windows Mobile version of AnyConnect is vulnerable, but no fixed versions are planned. We recommend the following workarounds:
Cisco Systems, Inc.
Sun Microsystems, Inc.
This vulnerability was reported by Elazar Broad through iDefense.
This document was written by Will Dormann.