Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2494

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2012-2494
Last Modified 21 Jun 2012 12:00:00
Published 20 Jun 2012 04:55:02
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-2494

Summary

The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 and 3.x before 3.0 MR8 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtw48681.

Vulnerable Systems

Application

  • Cisco Anyconnect Secure Mobility Client 2.0

  • Cisco Anyconnect Secure Mobility Client 2.1

  • Cisco Anyconnect Secure Mobility Client 2.2

  • Cisco Anyconnect Secure Mobility Client 2.2.128

  • Cisco Anyconnect Secure Mobility Client 2.2.133

  • Cisco Anyconnect Secure Mobility Client 2.2.136

  • Cisco Anyconnect Secure Mobility Client 2.2.140

  • Cisco Anyconnect Secure Mobility Client 2.3

  • Cisco Anyconnect Secure Mobility Client 2.3.185

  • Cisco Anyconnect Secure Mobility Client 2.3.2016

  • Cisco Anyconnect Secure Mobility Client 2.3.254

  • Cisco Anyconnect Secure Mobility Client 2.4

  • Cisco Anyconnect Secure Mobility Client 2.4.0202

  • Cisco Anyconnect Secure Mobility Client 2.4.1012

  • Cisco Anyconnect Secure Mobility Client 2.5

  • Cisco Anyconnect Secure Mobility Client 3.0


References

CISCO - 20120620 Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client


Last Updated: 27 May 2016 10:56:33