Vulnslist

find the latest Cisco vulnerabilities

Cisco AnyConnect Secure Mobility Client Software Downgrade Vulnerability

Cisco-SA-20120620-CVE-2012-2494 · Medium · Published · Updated

Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an unauthenticated, remote attacker to replace software components. The vulnerability is due to improper sanitization of user-supplied input by the affected software's download feature. An unauthenticated, remote attacker could exploit this vulnerability by persuading a user to view a malicious website. If successful, the attacker could cause the affected software to download and install an older version of the software. Cisco has confirmed the vulnerability in a security advisory and released software updates. To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.

Administrators are advised to monitor affected systems.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20120620-achttp://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120620-ac

CVEsCVE-2012-2494
Cisco Bug IDsNA
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C/CDP:N/TD:N/CR:ND/IR:ND/AR:ND
Product Names From Source
Cisco AnyConnect Secure Mobility Client, Cisco Secure Client

Related Products

Product CVE Evidence
Cisco Secure Client CVE-2012-2494 Cisco OpenVuln
Cisco AnyConnect Secure Mobility Client CVE-2012-2494 Cisco OpenVuln