3.0.07059

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

high complexity

cisco

CWE-310

nessus

NVD

Published: 2012-08-06

Updated: 2012-08-07

Summary

Cisco AnyConnect Secure Mobility Client 3.0 before 3.0.08057 does not verify the certificate name in an X.509 certificate during WebLaunch of IPsec, which allows man-in-the-middle attackers to spoof servers via a crafted certificate, aka Bug ID CSCtz29470.

Vulnerable Configurations

Part	Description	Count
Application	Cisco Cisco Anyconnect Secure Mobility Client 3.0 Cisco Anyconnect Secure Mobility Client 3.0.0629 Cisco Anyconnect Secure Mobility Client 3.0.07059	3

Common Weakness Enumeration (CWE)

CWE-310 - Cryptographic Issues

Common Attack Pattern Enumeration and Classification (CAPEC)

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL family	Windows
NASL id	CISCO_ANYCONNECT_VPN_HOSTSCAN_DOWNGRADE.NASL
description	The remote host has a version of Cisco AnyConnect < 3.0 MR8. Such versions are affected by the following vulnerabilities : - The HostScan VPN downloader implementation does not compare timestamps of offered software to install with currently installed software, which may allow remote attackers to downgrade the software via ActiveX or Java components. (CVE-2012-2495) - Man-in-the-middle attacks are possible even when the ASA is configured with a legitimate certificate. (CVE-2012-2498) - No certificate name checking is performed when using IPsec as the tunnel protocol, which could result in man-in-the-middle attacks. (CVE-2012-2499) - Certificate names are not verified during WebLaunch of IPsec, which could result in man-in-the-middle attacks. (CVE-2012-2500)
last seen	2020-06-01
modified	2020-06-02
plugin id	59821
published	2012-07-02
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59821
title	Cisco AnyConnect Secure Mobility Client 3.0 < 3.0 MR8 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(59821); script_version("1.12"); script_cvs_date("Date: 2018/07/06 11:26:08"); script_cve_id( "CVE-2012-2495", "CVE-2012-2498", "CVE-2012-2499", "CVE-2012-2500" ); script_bugtraq_id(54108, 54826, 54847); script_xref(name:"CISCO-BUG-ID", value:"CSCtx74235"); script_xref(name:"CISCO-BUG-ID", value:"CSCtz26985"); script_xref(name:"CISCO-BUG-ID", value:"CSCtz29197"); script_xref(name:"CISCO-BUG-ID", value:"CSCtz29470"); script_xref(name:"CISCO-SA", value:"cisco-sa-20120620-ac"); script_name(english:"Cisco AnyConnect Secure Mobility Client 3.0 < 3.0 MR8 Multiple Vulnerabilities"); script_summary(english:"Checks version of Cisco AnyConnect Client"); script_set_attribute( attribute:"synopsis", value: "The remote host has software installed that is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host has a version of Cisco AnyConnect < 3.0 MR8. Such versions are affected by the following vulnerabilities : - The HostScan VPN downloader implementation does not compare timestamps of offered software to install with currently installed software, which may allow remote attackers to downgrade the software via ActiveX or Java components. (CVE-2012-2495) - Man-in-the-middle attacks are possible even when the ASA is configured with a legitimate certificate. (CVE-2012-2498) - No certificate name checking is performed when using IPsec as the tunnel protocol, which could result in man-in-the-middle attacks. (CVE-2012-2499) - Certificate names are not verified during WebLaunch of IPsec, which could result in man-in-the-middle attacks. (CVE-2012-2500)" ); # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b0b6c065"); # http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?86b883fe"); script_set_attribute( attribute:"solution", value: "Upgrade to Cisco AnyConnect Secure Mobility Client 3.0 MR8 or greater." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date",value:"2012/06/20"); script_set_attribute(attribute:"patch_publication_date",value:"2012/06/20"); script_set_attribute(attribute:"plugin_publication_date",value:"2012/07/02"); script_set_attribute(attribute:"plugin_type",value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:anyconnect_secure_mobility_client"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies('cisco_anyconnect_vpn_installed.nasl'); script_require_keys('SMB/cisco_anyconnect/Installed'); exit(0); } include('global_settings.inc'); include('misc_func.inc'); include('audit.inc'); appname = 'Cisco AnyConnect Mobility VPN Client'; kb_base = 'SMB/cisco_anyconnect/'; report = ''; num_installed = get_kb_item_or_exit(kb_base + 'NumInstalled'); for (install_num = 0; install_num < num_installed; install_num++) { path = get_kb_item_or_exit(kb_base + install_num + '/path'); ver = get_kb_item_or_exit(kb_base + install_num + '/version'); fix = '3.0.8057.0'; if (ver =~ "^3\." && ver_compare(ver:ver, fix:fix) == -1) { report += '\n Path : ' + path + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; } } if(report != '') { if (report_verbosity > 0) security_warning(port:get_kb_item('SMB/transport'), extra:report); else security_warning(get_kb_item('SMB/transport')); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, appname);

References

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html