CVE-2012-2494: Input Validation
First published: Wed Jun 20 2012(Updated: )
The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 and 3.x before 3.0 MR8 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtw48681.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco AnyConnect Secure | =2.0 | |
| Cisco AnyConnect Secure | =2.1 | |
| Cisco AnyConnect Secure | =2.2 | |
| Cisco AnyConnect Secure | =2.2.128 | |
| Cisco AnyConnect Secure | =2.2.133 | |
| Cisco AnyConnect Secure | =2.2.136 | |
| Cisco AnyConnect Secure | =2.2.140 | |
| Cisco AnyConnect Secure | =2.3 | |
| Cisco AnyConnect Secure | =2.3.185 | |
| Cisco AnyConnect Secure | =2.3.254 | |
| Cisco AnyConnect Secure | =2.3.2016 | |
| Cisco AnyConnect Secure | =2.4 | |
| Cisco AnyConnect Secure | =2.4.0202 | |
| Cisco AnyConnect Secure | =2.4.1012 | |
| Cisco AnyConnect Secure | =2.5 | |
| Cisco AnyConnect Secure | =3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2012-2494?
CVE-2012-2494 is rated as a high severity vulnerability that allows attackers to force a version downgrade of the Cisco AnyConnect Secure Mobility Client.
How do I fix CVE-2012-2494?
To mitigate CVE-2012-2494, upgrade to Cisco AnyConnect Secure Mobility Client version 2.5 MR6 or 3.0 MR8 or later.
What versions of Cisco AnyConnect Secure Mobility Client are affected by CVE-2012-2494?
CVE-2012-2494 affects Cisco AnyConnect Secure Mobility Client versions 2.0 through 2.4 and 3.0 prior to MR8.
Can CVE-2012-2494 be exploited remotely?
Yes, CVE-2012-2494 can be exploited remotely, allowing attackers to downgrade the software without local access.
Does CVE-2012-2494 impact system security?
Yes, exploiting CVE-2012-2494 can compromise system security by downgrading the client to a less secure version.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco anyconnect secure
- version/cisco anyconnect secure/2.0
- version/cisco anyconnect secure/2.1
- version/cisco anyconnect secure/2.2
- version/cisco anyconnect secure/2.2.128
- version/cisco anyconnect secure/2.2.133
- version/cisco anyconnect secure/2.2.136
- version/cisco anyconnect secure/2.2.140
- version/cisco anyconnect secure/2.3
- version/cisco anyconnect secure/2.3.185
- version/cisco anyconnect secure/2.3.254
- version/cisco anyconnect secure/2.3.2016
- version/cisco anyconnect secure/2.4
- version/cisco anyconnect secure/2.4.0202
- version/cisco anyconnect secure/2.4.1012
- version/cisco anyconnect secure/2.5
- version/cisco anyconnect secure/3.0