CVE-2012-2493: Input Validation
First published: Wed Jun 20 2012(Updated: )
The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 on Windows, and 2.x before 2.5 MR6 and 3.x before 3.0 MR8 on Mac OS X and Linux, does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code via vectors involving (1) ActiveX or (2) Java components, aka Bug ID CSCtw47523.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco AnyConnect Secure | =2.0 | |
| Cisco AnyConnect Secure | =2.1 | |
| Cisco AnyConnect Secure | =2.2 | |
| Cisco AnyConnect Secure | =2.2.128 | |
| Cisco AnyConnect Secure | =2.2.133 | |
| Cisco AnyConnect Secure | =2.2.136 | |
| Cisco AnyConnect Secure | =2.2.140 | |
| Cisco AnyConnect Secure | =2.3 | |
| Cisco AnyConnect Secure | =2.3.185 | |
| Cisco AnyConnect Secure | =2.3.254 | |
| Cisco AnyConnect Secure | =2.3.2016 | |
| Cisco AnyConnect Secure | =2.4 | |
| Cisco AnyConnect Secure | =2.4.0202 | |
| Cisco AnyConnect Secure | =2.4.1012 | |
| Cisco AnyConnect Secure | =2.5 | |
| Microsoft Windows Operating System | ||
| Cisco AnyConnect Secure | =3.0 | |
| Apple iOS and macOS | ||
| Linux Kernel |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2012-2493?
CVE-2012-2493 is considered a medium to high severity vulnerability due to its potential for remote code execution.
How do I fix CVE-2012-2493?
To fix CVE-2012-2493, you should upgrade to Cisco AnyConnect Secure Mobility Client version 2.5 MR6 or later on Windows, and 3.0 MR8 or later on Mac OS X and Linux.
What impact does CVE-2012-2493 have on my system?
CVE-2012-2493 allows attackers to execute arbitrary code on affected systems by exploiting the improper validation of downloaded binaries.
Is my version of Cisco AnyConnect vulnerable to CVE-2012-2493?
Versions of Cisco AnyConnect Secure Mobility Client prior to 2.5 MR6 on Windows and prior to 3.0 MR8 on Mac OS X and Linux are vulnerable to CVE-2012-2493.
How can I determine if my software is at risk for CVE-2012-2493?
You can check your installed version of Cisco AnyConnect Secure Mobility Client against known vulnerable versions listed for CVE-2012-2493.
- agent/type
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco anyconnect secure
- version/cisco anyconnect secure/2.0
- version/cisco anyconnect secure/2.1
- version/cisco anyconnect secure/2.2
- version/cisco anyconnect secure/2.2.128
- version/cisco anyconnect secure/2.2.133
- version/cisco anyconnect secure/2.2.136
- version/cisco anyconnect secure/2.2.140
- version/cisco anyconnect secure/2.3
- version/cisco anyconnect secure/2.3.185
- version/cisco anyconnect secure/2.3.254
- version/cisco anyconnect secure/2.3.2016
- version/cisco anyconnect secure/2.4
- version/cisco anyconnect secure/2.4.0202
- version/cisco anyconnect secure/2.4.1012
- version/cisco anyconnect secure/2.5
- vendor/microsoft
- canonical/microsoft windows operating system
- version/cisco anyconnect secure/3.0
- vendor/apple
- canonical/apple ios and macos
- vendor/linux
- canonical/linux kernel