June 2012: four Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published four important vulnerability advisories:

• Buffer Overflow Vulnerabilities in the Cisco WebEx Player
• Cisco Application Control Engine Administrator IP Address Overlap Vulnerability
• Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client
• Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Denial of Service Vulnerability

Buffer Overflow Vulnerabilities in the Cisco WebEx Player
The Cisco WebEx Recording Format (WRF) player contains four buffer overflow vulnerabilities and the Cisco Advanced Recording Format (ARF) player contains one buffer overflow vulnerability. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.

Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WRF and ARF players. The following client builds of Cisco WebEx Business Suite (WBS 27 and WBS 28) are affected by at least one of the vulnerabilities that are described in this advisory:

• Client builds 28.0.0 (T28 L10N)
• Client builds 27.32.1 (T27 LD SP32 CP1) and prior
• Client builds 27.25.10 (T27 LC SP25 EP10) and prior
• Client builds 27.21.10 (T27 LB SP21 EP10) and prior
• Client builds 27.11.26 (T27 L SP11 EP26) and prior

Details
Exploitation of the vulnerabilities may cause the player application to crash or, in some cases, result in remote code execution.

To exploit one of these vulnerabilities, the player application must open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting.

Impact
Successful exploitation of the vulnerabilities that are described in this document could cause the Cisco WRF or ARF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF or ARF player application.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120627-webex

Cisco Application Control Engine Administrator IP Address Overlap Vulnerability
A vulnerability exists in Cisco Application Control Engine (ACE) software. Administrative users may be logged into an unintended context (virtual instance) on the ACE when running in multicontext mode.
Vulnerable Products

Cisco ACE appliances or modules are vulnerable when running in multicontext mode. In order for this vulnerability to be exploited two or more contexts must be configured with the same management IP address. An administrator could be logged in to a different context than intended, when attempting to access the management IP address of their intended context. The administrator must have valid login credentials for the unintended context, otherwise, access will be denied.

Details
Cisco ACE appliances or modules are vulnerable when running in multicontext mode. For this vulnerability to be exploited two or more contexts must be configured with the same management IP address. The administrator must have valid login credentials for the incorrect context when being logged in.

Impact
Successful exploitation of the vulnerability may cause users to be logged in to an unintended context as the administrator. This situation could happen inadvertently. Configurations can be viewed and/or changed by the administrator.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ace

Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client
The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities:

• Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability
• Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability
• Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop HostScan Downloader Software Downgrade Vulnerability
• Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability

Details
The Cisco AnyConnect Secure Mobility Client is the Cisco next-generation VPN client, which provides remote users with secure IPsec (IKEv2) or SSL Virtual Private Network (VPN) connections to Cisco 5500 Series Adaptive Security Appliances (ASA) and devices that are running Cisco IOS Software.

• Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability: Cisco AnyConnect Secure Mobility Client contains an arbitrary code execution vulnerability. An unauthenticated, remote attacker could execute arbitrary code on systems that have received the ActiveX or Java components that perform the WebLaunch functionality for Cisco AnyConnect Secure Mobility Client. The attacker may supply vulnerable ActiveX or Java components for execution by an end-user. The affected ActiveX and Java components do not perform sufficient input validation and, as a result, may allow an attacker to deliver arbitrary code to an affected system and execute the code with the privileges of the user’s web browser session. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet. Depending on the user’s browser configuration, the process of executing the control or applet may require little or no user interaction because the vulnerable ActiveX controls and Java applets are cryptographically signed by Cisco.
• Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability: Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an attacker to downgrade the Cisco AnyConnect Secure Mobility Client software version to a prior software version. An unauthenticated, remote attacker could cause systems that have installed affected versions of the Cisco AnyConnect Secure Mobility client to download and install an older version of the client software. The affected ActiveX and Java components used for WebLaunch do not perform sufficient input validation and, as a result, may allow an attacker to deliver prior versions of code signed by Cisco. Older versions of Cisco AnyConnect Secure Mobility Client software could contain vulnerabilities that were not present in the system’s initial software version, and expose the system to additional vulnerabilities. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet. Depending on the user’s browser configuration, the process of executing the control or applet may require little or no user interaction because the vulnerable ActiveX controls and Java applets are cryptographically signed by Cisco.
• Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop HostScan Downloader Software Downgrade Vulnerability: Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an attacker to downgrade the affected software to a prior software version. This vulnerability is also present in Cisco Secure Desktop. An unauthenticated, remote attacker could cause systems that have installed affected versions of the Cisco AnyConnect Secure Mobility client or Cisco Secure Desktop to download and install an older version of the client software. The affected ActiveX and Java components of these affected software programs do not perform sufficient input validation and, as a result, may allow an attacker to deliver prior versions of code signed by Cisco. Older versions of Cisco AnyConnect Secure Mobility Client software or Cisco Secure Desktop software could contain vulnerabilities that were not present in the system’s initial software version, thus exposing the system to additional vulnerabilities. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable ActiveX control or Java applet. Depending on the user’s browser configuration, the process of executing the control or applet may require little or no user interaction because the vulnerable ActiveX controls and Java applets are cryptographically signed by Cisco.
• Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability: Cisco AnyConnect Secure Mobility Client contains an arbitrary code execution vulnerability. An unauthenticated, remote attacker could execute arbitrary code on systems that have received the 64-bit Java applet that performs the WebLaunch VPN downloader functionality for Cisco AnyConnect Secure Mobility Client. The attacker may supply vulnerable Java components for execution by an end-user. The affected Java component does not perform sufficient input validation and as a result could allow an attacker to deliver arbitrary code to an affected system and execute the code with the privileges of the user’s web browser session. To exploit this vulnerability, an attacker must convince a user to visit a malicious web page and execute the vulnerable Java applet. The affected Java applets are not cryptographically signed by Cisco.

Impact
For any of the vulnerabilities in cryptographically signed applets, any system that trusts Cisco’s signing certificate chain may be impacted, even if Cisco AnyConnect Secure Mobility Client has never been installed on the system.

• Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability: Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user’s web browser session. If the user possesses elevated privileges, arbitrary code execution could result in complete compromise of an affected system.
• Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability: Successful exploitation of the vulnerability could allow an attacker to modify the Cisco AnyConnect Secure Mobility Client installation and replace it with an arbitrary, older version of software that is signed by Cisco. This action could expose the system to subsequent attacks against vulnerabilities found in older versions of Cisco AnyConnect Secure Mobility Client software.
• Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop HostScan Downloader Software Downgrade Vulnerability: Successful exploitation of the vulnerability could allow an attacker to modify the Cisco AnyConnect Secure Mobility Client installation and replace it with an arbitrary, older version of software signed by Cisco. This action could expose the system to subsequent attacks against vulnerabilities found in older versions of Cisco AnyConnect Secure Mobility Client software.
• Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability: Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user’s web browser session. If the user possesses elevated privileges, this action could result in complete compromise of an affected system.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Denial of Service Vulnerability
Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that may allow an unauthenticated, remote attacker to cause the reload of the affected device.

Vulnerable Products
Cisco ASA and Cisco ASASM contain a vulnerability that may allow an unauthenticated, remote attacker to cause the reload of the affected device.

Cisco ASA Software may be affected by this vulnerability if all the following conditions are present:

• Cisco ASA or Cisco ASASM is running in transparent firewall mode
• Cisco ASA or Cisco ASASM has IPv6 enabled
• Cisco ASA or Cisco ASASM has system logging enabled and the system is configured to log message ID 110003

Details
Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that may allow an unauthenticated, remote attacker to cause a reload of the affected device.

Impact
Successful exploitation of this vulnerability may result in a reload of the affected device. Repeated exploit attempts may result in a sustained denial of service (DoS) attack.

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaipv6