Summary

• A vulnerability in a Cisco-signed Java Archive (JAR) executable Cache Cleaner component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .jar file is executed. Command execution would occur with the privileges of the user.
  
  The Cache Cleaner feature has been deprecated since November 2012.
  
  There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected .jar files have been removed and are no longer available for download.
  
  Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation. Refer to the "Workarounds" section of this advisory for additional information on how to mitigate this vulnerability.
  
  Customers using Cisco Secure Desktop should migrate to the Cisco Host Scan standalone package.
  
  This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd

Affected Products

• Vulnerable Products

  Cisco Secure Desktop is available for Cisco ASA Software and for Cisco IOS Software SSL VPN services.
  
  To verify whether the Cisco ASA Software is configured with the Cisco Secure Desktop feature enabled, use the show webvpn csd command and verify that Secure Desktop is installed and enabled. The following example shows a Cisco ASA device with Cisco Secure Desktop version 3.6.6249 enabled:
  

  ciscoasa# show webvpn csd
  Secure Desktop version 3.6.6249.0 is currently installed and enabled.

  
  To verify whether the Cisco IOS Software  is configured with the Cisco Secure Desktop feature enabled, use the show webvpn install status csd command and verify that Secure Desktop is installed. The following example shows a Cisco IOS device with Cisco Secure Desktop version 3.1.0.9 enabled:
  

  router#show webvpn install status csd
  SSLVPN Package Cisco-Secure-Desktop version installed:
  CISCO CSD CAT6K
  3,1,0,9 
    

  
  This vulnerability affects the host that executes the malicious .jar file. Cisco ASA Software and Cisco IOS Software are not affected by this vulnerability.
  
  Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop.
  
  Cisco has provided the SHA-1 hashes for the affected version of the .jar file that can be used to prevent the exploit via the Java Blacklist Jar feature. Cisco has also requested Java to blacklist the affected .jar file by default. This change will be available in Java SE 8 Update 45. See the "Workarounds" section of this advisory for additional details.
  
  

  
  

  Products Confirmed Not Vulnerable

  Cisco Host Scan standalone and CiscoAnyConnect Secure Mobility Client do not include the affected .jar file and are not affected by this vulnerability.
  
  No other Cisco products are currently known to be affected by this vulnerability.

Details

• The Cisco Secure Desktop suite enhances the Cisco ASA and Cisco IOS Clientless and AnyConnect SSL VPN capabilities by providing additional security services.
  The Cache Cleaner feature is used to eliminate the information from the browser cache at the end of a clientless SSL VPN session.
  
  A vulnerability in a Cisco-signed Java Archive (JAR) executable included in the Cache Cleaner component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .jar file is executed. Command execution would occur with the privileges of the user executing the affected file.
  
  The vulnerability is due to insufficient controls while executing the cache.jar file. An attacker could exploit this vulnerability by redirecting users to a malicious website that can serve a crafted package that includes the affected .jar file and additional malicious executables.
  
  Note: This vulnerability affects the host that executes the malicious .jar file. Cisco ASA Software and Cisco IOS Software are not affected by this vulnerability.
  
  Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop.
  
  Cisco has provided the SHA-1 hashes for the affected version of the .jar file that can be used to prevent the exploit via the Java Blacklist Jar feature. Cisco has also requested Java to blacklist the affected .jar file by default. This change will be available in Java SE 8 Update 45. See the "Workarounds" section of this advisory for additional details.
  
  This vulnerability is documented in Cisco bug IDs CSCup83001 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0691

Workarounds

• An exploit of this vulnerability can be prevented by preventing the execution of the cache.jar file. This can be done by using the Java Blacklist Jar feature introduced with Java SE 6 Update 14. For information on this feature refer to the Java SE 6 Update 14 release notes, available at http://www.oracle.com/technetwork/java/javase/6u14-137039.html.

  The .jar files to be blacklisted are identified by the following SHA-1 message digests:

  #Cisco - CSCup83001
  mF8yk1Hxc1uH9UorvfG2GJ+ScqY=
  yUcLgsHB7H6rf04gLNe0ikKrmfI=
  UcdnWBajIuVvJjoGHAPA11Gkg7E=

  Cisco has also requested that Java add these hashes to the blacklist by default. This change will be available in Java SE 8 Update 45.
  
  

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected .jar files have been removed and are no longer available for download.
  
  Customers using Cisco Secure Desktop should migrate to the Cisco Host Scan standalone package.
  
  Note: The Cache Cleaner feature has been deprecated since November 2012. Additional information can be found at
  http://www.cisco.com/c/en/us/td/docs/security/csd/csd36/public_notices/vault_cc_ksl_host_emulation_deprecat_notice.html
  
  This vulnerability affects the host that executes the malicious .jar file. Cisco ASA Software and Cisco IOS Software are not affected by this vulnerability.
  
  Because the attacker can exploit a vulnerability in the .jar file, which is signed by Cisco, this vulnerability can be exploited against any users and not just against consumers of Cisco Secure Desktop.
  
  Cisco has provided the SHA-1 hashes for the affected version of the .jar file that can be used to prevent the exploit via the Java Blacklist Jar feature. Cisco has also requested Java to blacklist the affected .jar file by default. This change will be available in Java SE 8 Update 45. See the "Workarounds" section of this advisory for additional details.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

  This vulnerability was reported to Cisco by Jason Sinchak.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd

Revision History

• Revision 1.0

  2015-April-15

  Initial public release

  Show Less