AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:C
-
A vulnerability in a Cisco-signed Java Archive (JAR) executable Cache Cleaner component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .jar file is executed. Command execution would occur with the privileges of the user.
The Cache Cleaner feature has been deprecated since November 2012.
There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected .jar files have been removed and are no longer available for download.
Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation. Refer to the "Workarounds" section of this advisory for additional information on how to mitigate this vulnerability.
Customers using Cisco Secure Desktop should migrate to the Cisco Host Scan standalone package.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd
-
Vulnerable Products
Cisco Secure Desktop is available for Cisco ASA Software and for Cisco IOS Software SSL VPN services.
To verify whether the Cisco ASA Software is configured with the Cisco Secure Desktop feature enabled, use the show webvpn csd command and verify that Secure Desktop is installed and enabled. The following example shows a Cisco ASA device with Cisco Secure Desktop version 3.6.6249 enabled:
ciscoasa# show webvpn csd
Secure Desktop version 3.6.6249.0 is currently installed and enabled.
To verify whether the Cisco IOS Software is configured with the Cisco Secure Desktop feature enabled, use the show webvpn install status csd command and verify that Secure Desktop is installed. The following example shows a Cisco IOS device with Cisco Secure Desktop version 3.1.0.9 enabled:
router#show webvpn install status csd
SSLVPN Package Cisco-Secure-Desktop version installed:
CISCO CSD CAT6K
3,1,0,9
This vulnerability affects the host that executes the malicious .jar file. Cisco ASA Software and Cisco IOS Software are not affected by this vulnerability.
Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop.
Cisco has provided the SHA-1 hashes for the affected version of the .jar file that can be used to prevent the exploit via the Java Blacklist Jar feature. Cisco has also requested Java to blacklist the affected .jar file by default. This change will be available in Java SE 8 Update 45. See the "Workarounds" section of this advisory for additional details.
Products Confirmed Not Vulnerable
Cisco Host Scan standalone and CiscoAnyConnect Secure Mobility Client do not include the affected .jar file and are not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
The Cisco Secure Desktop suite enhances the Cisco ASA and Cisco IOS Clientless and AnyConnect SSL VPN capabilities by providing additional security services.
The Cache Cleaner feature is used to eliminate the information from the browser cache at the end of a clientless SSL VPN session.
A vulnerability in a Cisco-signed Java Archive (JAR) executable included in the Cache Cleaner component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .jar file is executed. Command execution would occur with the privileges of the user executing the affected file.
The vulnerability is due to insufficient controls while executing the cache.jar file. An attacker could exploit this vulnerability by redirecting users to a malicious website that can serve a crafted package that includes the affected .jar file and additional malicious executables.
Note: This vulnerability affects the host that executes the malicious .jar file. Cisco ASA Software and Cisco IOS Software are not affected by this vulnerability.
Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop.
Cisco has provided the SHA-1 hashes for the affected version of the .jar file that can be used to prevent the exploit via the Java Blacklist Jar feature. Cisco has also requested Java to blacklist the affected .jar file by default. This change will be available in Java SE 8 Update 45. See the "Workarounds" section of this advisory for additional details.
This vulnerability is documented in Cisco bug IDs CSCup83001 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0691
-
An exploit of this vulnerability can be prevented by preventing the execution of the cache.jar file. This can be done by using the Java Blacklist Jar feature introduced with Java SE 6 Update 14. For information on this feature refer to the Java SE 6 Update 14 release notes, available at http://www.oracle.com/technetwork/java/javase/6u14-137039.html.
The .jar files to be blacklisted are identified by the following SHA-1 message digests:
#Cisco - CSCup83001
mF8yk1Hxc1uH9UorvfG2GJ+ScqY= yUcLgsHB7H6rf04gLNe0ikKrmfI= UcdnWBajIuVvJjoGHAPA11Gkg7E=
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected .jar files have been removed and are no longer available for download.
Customers using Cisco Secure Desktop should migrate to the Cisco Host Scan standalone package.
Note: The Cache Cleaner feature has been deprecated since November 2012. Additional information can be found at
http://www.cisco.com/c/en/us/td/docs/security/csd/csd36/public_notices/vault_cc_ksl_host_emulation_deprecat_notice.html
This vulnerability affects the host that executes the malicious .jar file. Cisco ASA Software and Cisco IOS Software are not affected by this vulnerability.
Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop.
Cisco has provided the SHA-1 hashes for the affected version of the .jar file that can be used to prevent the exploit via the Java Blacklist Jar feature. Cisco has also requested Java to blacklist the affected .jar file by default. This change will be available in Java SE 8 Update 45. See the "Workarounds" section of this advisory for additional details.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was reported to Cisco by Jason Sinchak.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0 2015-April-15 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.