Signed Java and Cisco AnyConnect

A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the Cisco AnyConnect vulnerability is affected.

US-CERT Vulnerability Note VU#490097 describes a vulnerability in the Cisco AnyConnect ActiveX and Java clients that allows an attacker to download and execute arbitrary code. The vulnerability note indicates that Cisco has addressed this vulnerability, but what does that actually mean?

To exploit the ActiveX version of AnyConnect, an attacker could create a web page that hosts and uses the vulnerable version of the ActiveX control. Internet Explorer ActiveX users can "immunize" themselves against the exploit by obtaining and installing the fixed version of the AnyConnect ActiveX. Once an updated version of an ActiveX control has been installed, Internet Explorer is designed to prevent the control from being downgraded.

While Internet Explorer uses the ActiveX version of AnyConnect, other browsers use the Java version. To exploit the Java version of AnyConnect, an attacker could create a web page that hosts and uses the vulnerable version of the signed Java archive. Java will use whichever Java applet is provided by the web server. Even if a user has installed the fixed version of the Java applet, that does not prevent exploitation of the vulnerable one. In other words, simply fixing the Java applet does nothing to protect end users from being exploited.

For the most part, this situation is due to a limitation of the Java runtime and how it handles signed Java applets. However, there has been one significant change since my original blog post on signed Java applet security. As of JRE 6u14, Java supports a blacklist feature. This feature can be used to disable known-vulnerable signed Java applets based on their Manifest hash. The Java blacklist feature is a step toward the protection that ActiveX kill bits give us. One problem with Java blacklists is that Oracle does not currently provide blacklist entries for third-party Java applets. Basically, Oracle is not providing an updated JRE version that disables the vulnerable Cisco AnyConnect Java applet versions.

For additional information about how to protect against the Cisco AnyConnect vulnerability, including setting Java blacklist entries for the vulnerable versions, see US-CERT Vulnerability Note VU#490097.

Software Engineering Institute

SEI Blog

Signed Java and Cisco AnyConnect

Will Dormann

June 9, 2011

PUBLISHED IN

CITE

TAGS

SHARE

Written By

Will Dormann

Author Page

Digital Library Publications

Send a Message

More By The Author

It's Time to Retire Your Unsupported Things

October 23, 2019 • By Will Dormann

The Dangers of VHD and VHDX Files

September 4, 2019 • By Will Dormann

Expectations of Windows RDP Session Locking Behavior

July 29, 2019 • By Will Dormann, Joseph Tammariello

Life Beyond Microsoft EMET

August 29, 2018 • By Will Dormann

When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults

August 3, 2018 • By Will Dormann

More In CERT/CC Vulnerabilities

UEFI: 5 Recommendations for Securing and Restoring Trust

June 26, 2023 • By Vijay S. Sarvepalli

Vultron: A Protocol for Coordinated Vulnerability Disclosure

September 26, 2022 • By Allen D. Householder

UEFI – Terra Firma for Attackers

August 1, 2022 • By Vijay S. Sarvepalli

Probably Don’t Rely on EPSS Yet

June 6, 2022 • By Jonathan Spring

The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering

September 6, 2021 • By Douglas Schmidt (Vanderbilt University)