Cisco AnyConnect VPN Client Two Vulnerabilities

Last Update Date: 3 Jun 2011 11:28 Release Date: 3 Jun 2011 6494 Views

RISK: High Risk

High Risk

TYPE: Security software and application - Security Software & Appliance

TYPE: Security Software & Appliance

Two vulnerabilities have been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious people with physical access to bypass certain security restrictions and by malicious people to compromise a user's system.

  1. An error in the graphical user interface when displayed on the Windows logon screen can be exploited to perform certain actions with the privileges of the LocalSystem account.

    Successful exploitation of this vulnerability requires the Start Before Logon (SBL) feature to be enabled.


  2. An error in the helper application used for remote deployment of the client (e.g. "Cisco.AnyConnect.VPNWeb.1" ActiveX control) due to insufficient authenticity validation of downloaded executables can be exploited to download and execute an arbitrary program.

Impact

  • Remote Code Execution
  • Security Restriction Bypass

System / Technologies affected

  • Cisco AnyConnect VPN Client 2.x

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

 

Vulnerability Identifier

Source

Related Link

Share with

Previous

Symantec Products KeyView PRZ Processing Buffer Overflow Vulnerability

2 Jun 2011 6300 Views

Next

Adobe Flash Player cross-site scripting Vulnerability

7 Jun 2011 6328 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY