Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-2039

Overview

Vulnerability Score 7.6 7.6
CVE Id CVE-2011-2039
Last Modified 21 Sep 2011 11:31:20
Published 02 Jun 2011 03:55:04
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2011-2039

Summary

The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.185 on Windows, and on Windows Mobile, downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a certain ActiveX control in vpnweb.ocx, aka Bug ID CSCsy00904.

Vulnerable Systems

Application

  • Cisco Anyconnect Secure Mobility Client 2.0

  • Cisco Anyconnect Secure Mobility Client 2.1

  • Cisco Anyconnect Secure Mobility Client 2.2

  • Cisco Anyconnect Secure Mobility Client 2.2.128

  • Cisco Anyconnect Secure Mobility Client 2.2.133

  • Cisco Anyconnect Secure Mobility Client 2.2.136

  • Cisco Anyconnect Secure Mobility Client 2.2.140

  • Cisco Anyconnect Secure Mobility Client 2.3


References

CERT-VN - VU#490097

XF - cisco-asmc-helper-code-execution(67739)

SECTRACK - 1025591

CISCO - 20110601 Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client

SREASON - 8272

OSVDB - 72714

IDEFENSE - 20110601 Cisco AnyConnect VPN Client Arbitrary Program Execution Vulnerability


Last Updated: 27 May 2016 10:56:53