Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2495

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2012-2495
Last Modified 21 Jun 2012 12:00:00
Published 20 Jun 2012 04:55:02
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-2495

Summary

The HostScan downloader implementation in Cisco AnyConnect Secure Mobility Client 3.x before 3.0 MR8 and Cisco Secure Desktop before 3.6.6020 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtx74235.

Vulnerable Systems

Application

  • Cisco Anyconnect Secure Mobility Client 3.0

  • Cisco Secure Desktop 3.1

  • Cisco Secure Desktop 3.1.1

  • Cisco Secure Desktop 3.1.1.27

  • Cisco Secure Desktop 3.1.1.33

  • Cisco Secure Desktop 3.1.1.45

  • Cisco Secure Desktop 3.2

  • Cisco Secure Desktop 3.2.1

  • Cisco Secure Desktop 3.3

  • Cisco Secure Desktop 3.4

  • Cisco Secure Desktop 3.4.1

  • Cisco Secure Desktop 3.4.2

  • Cisco Secure Desktop 3.4.2048

  • Cisco Secure Desktop 3.5

  • Cisco Secure Desktop 3.5.1077

  • Cisco Secure Desktop 3.5.2001

  • Cisco Secure Desktop 3.5.2008

  • Cisco Secure Desktop 3.5.841


References

CISCO - 20120620 Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client


Last Updated: 27 May 2016 10:56:33