Vulnerabilities > CVE-2012-2500 - Cryptographic Issues vulnerability in Cisco Anyconnect Secure Mobility Client 3.0/3.0.0629/3.0.07059

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
cisco
CWE-310
nessus
NVD
Published: 2012-08-06
Updated: 2024-11-21

Summary

Cisco AnyConnect Secure Mobility Client 3.0 before 3.0.08057 does not verify the certificate name in an X.509 certificate during WebLaunch of IPsec, which allows man-in-the-middle attackers to spoof servers via a crafted certificate, aka Bug ID CSCtz29470.

Vulnerable Configurations

Part Description Count
Application
Cisco
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL familyWindows
NASL idCISCO_ANYCONNECT_VPN_HOSTSCAN_DOWNGRADE.NASL
descriptionThe remote host has a version of Cisco AnyConnect < 3.0 MR8. Such versions are affected by the following vulnerabilities : - The HostScan VPN downloader implementation does not compare timestamps of offered software to install with currently installed software, which may allow remote attackers to downgrade the software via ActiveX or Java components. (CVE-2012-2495) - Man-in-the-middle attacks are possible even when the ASA is configured with a legitimate certificate. (CVE-2012-2498) - No certificate name checking is performed when using IPsec as the tunnel protocol, which could result in man-in-the-middle attacks. (CVE-2012-2499) - Certificate names are not verified during WebLaunch of IPsec, which could result in man-in-the-middle attacks. (CVE-2012-2500)
last seen2020-06-01
modified2020-06-02
plugin id59821
published2012-07-02
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/59821
titleCisco AnyConnect Secure Mobility Client 3.0 < 3.0 MR8 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(59821);
  script_version("1.12");
  script_cvs_date("Date: 2018/07/06 11:26:08");

  script_cve_id(
    "CVE-2012-2495",
    "CVE-2012-2498",
    "CVE-2012-2499",
    "CVE-2012-2500"
  );
  script_bugtraq_id(54108, 54826, 54847);
  script_xref(name:"CISCO-BUG-ID", value:"CSCtx74235");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz26985");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz29197");
  script_xref(name:"CISCO-BUG-ID", value:"CSCtz29470");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20120620-ac");

  script_name(english:"Cisco AnyConnect Secure Mobility Client 3.0 < 3.0 MR8 Multiple Vulnerabilities");
  script_summary(english:"Checks version of Cisco AnyConnect Client");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host has software installed that is affected by multiple
vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host has a version of Cisco AnyConnect < 3.0 MR8.
Such versions are affected by the following vulnerabilities :

  - The HostScan VPN downloader implementation does not 
    compare timestamps of offered software to install
    with currently installed software, which may allow
    remote attackers to downgrade the software via ActiveX
    or Java components. (CVE-2012-2495)

  - Man-in-the-middle attacks are possible even when the
    ASA is configured with a legitimate certificate.
    (CVE-2012-2498)

  - No certificate name checking is performed when using
    IPsec as the tunnel protocol, which could result in
    man-in-the-middle attacks. (CVE-2012-2499)

  - Certificate names are not verified during WebLaunch
    of IPsec, which could result in man-in-the-middle
    attacks. (CVE-2012-2500)"
  );
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b0b6c065");
  # http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?86b883fe");
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade to Cisco AnyConnect Secure Mobility Client 3.0 MR8 or 
greater."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vuln_publication_date",value:"2012/06/20");
  script_set_attribute(attribute:"patch_publication_date",value:"2012/06/20");
  script_set_attribute(attribute:"plugin_publication_date",value:"2012/07/02");
  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:anyconnect_secure_mobility_client");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies('cisco_anyconnect_vpn_installed.nasl');
  script_require_keys('SMB/cisco_anyconnect/Installed');
  
  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('audit.inc');

appname = 'Cisco AnyConnect Mobility VPN Client';
kb_base = 'SMB/cisco_anyconnect/';
report = '';

num_installed = get_kb_item_or_exit(kb_base + 'NumInstalled');

for (install_num = 0; install_num < num_installed; install_num++)
{
  path = get_kb_item_or_exit(kb_base + install_num + '/path');
  ver = get_kb_item_or_exit(kb_base + install_num + '/version');
  fix = '3.0.8057.0';
  
  if (ver =~ "^3\." && ver_compare(ver:ver, fix:fix) == -1)
  {
      report += 
        '\n  Path              : ' + path +
        '\n  Installed version : ' + ver +
        '\n  Fixed version     : ' + fix + '\n';
  }
}

if(report != '')
{
  if (report_verbosity > 0)
    security_warning(port:get_kb_item('SMB/transport'), extra:report);
  else security_warning(get_kb_item('SMB/transport'));
  exit(0);
} 
else audit(AUDIT_INST_VER_NOT_VULN, appname);

References