Signed Java and Cisco AnyConnect
A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the Cisco AnyConnect vulnerability is affected.
US-CERT Vulnerability Note VU#490097 describes a vulnerability in the Cisco AnyConnect ActiveX and Java clients that allows an attacker to download and execute arbitrary code. The vulnerability note indicates that Cisco has addressed this vulnerability, but what does that actually mean?
To exploit the ActiveX version of AnyConnect, an attacker could create a web page that hosts and uses the vulnerable version of the ActiveX control. Internet Explorer ActiveX users can "immunize" themselves against the exploit by obtaining and installing the fixed version of the AnyConnect ActiveX. Once an updated version of an ActiveX control has been installed, Internet Explorer is designed to prevent the control from being downgraded.
While Internet Explorer uses the ActiveX version of AnyConnect, other browsers use the Java version. To exploit the Java version of AnyConnect, an attacker could create a web page that hosts and uses the vulnerable version of the signed Java archive. Java will use whichever Java applet is provided by the web server. Even if a user has installed the fixed version of the Java applet, that does not prevent exploitation of the vulnerable one. In other words, simply fixing the Java applet does nothing to protect end users from being exploited.
For the most part, this situation is due to a limitation of the Java runtime and how it handles signed Java applets. However, there has been one significant change since my original blog post on signed Java applet security. As of JRE 6u14, Java supports a blacklist feature. This feature can be used to disable known-vulnerable signed Java applets based on their Manifest hash. The Java blacklist feature is a step toward the protection that ActiveX kill bits give us. One problem with Java blacklists is that Oracle does not currently provide blacklist entries for third-party Java applets. Basically, Oracle is not providing an updated JRE version that disables the vulnerable Cisco AnyConnect Java applet versions.
For additional information about how to protect against the Cisco AnyConnect vulnerability, including setting Java blacklist entries for the vulnerable versions, see US-CERT Vulnerability Note VU#490097.