SonicWALL Global VPN Client up to 4.10.5 Installer default permission
A vulnerability, which was classified as critical, has been found in SonicWALL Global VPN Client up to 4.10.5 (Firewall Software).
A vulnerability, which was classified as critical, has been found in SonicWALL Global VPN Client up to 4.10.5 (Firewall Software).
A vulnerability was found in Securepoint SSL VPN Client up to 2.0.31 on Windows (Network Encryption Software) and classified as
Overview : Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local
A vulnerability was found in Cisco AnyConnect Secure Mobility Client (Network Encryption Software) (version unknown). It has been classified as
Description OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset
Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 with no additional configuration required. See the Recommendations section for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes or Configuration Guide.
The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:
Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
AnyConnect Secure Mobility Client Software Release
AnyConnectLocalPolicy.xml Settings
Instructions
Earlier than 4.9.04053
Previously deployed AnyConnectLocalPolicy.xml settings:
BypassDownloader= true
New AnyConnectLocalPolicy.xml settings:
BypassDownloader=false
Upgrade to 4.10 using a predeploy method.
Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.
4.9.04053, 4.9.05042, 4.9.06037
Previously deployed AnyConnectLocalPolicy.xml settings:
RestrictScriptWebDeploy=true
RestrictHelpWebDeploy=true
RestrictResourceWebDeploy=true
RestrictLocalizationWebDeploy=true
BypassDownloader=false
New AnyConnectLocalPolicy.xml settings:
RestrictScriptWebDeploy=false
RestrictHelpWebDeploy=false
RestrictResourceWebDeploy=false
RestrictLocalizationWebDeploy=false
BypassDownloader=false
Upgrade to 4.10 using either a predeploy or webdeploy method.
Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.
1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
For customers who have already applied the RestrictScriptWebDeploy workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.
There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes or Cisco bug ID CSCvw48062. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.
RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy
The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
false
false
false
false
Change that setting to true, as shown in the following example:
true
true
true
true
Verify that the BypassDownloader setting is correct by looking for the following line:
false
If the BypassDownloader setting is true, change it to false, as shown in the following example:
false
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053
For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:
All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.
The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:
false
Change that setting to true, as shown in the following example:
true
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
At the time of publication, Cisco AnyConnect Secure Mobility Client for Windows, MacOS, and Linux releases 4.10.00093 and later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
To download the software from the Software Center on Cisco.com, do the following:
Click Browse all.
Choose Security > VPN and Endpoint Security Clients > Cisco VPN Clients > AnyConnect Secure Mobility Client > AnyConnect Secure Mobility Client v4.x.
Choose the release from the left pane of the AnyConnect Secure Mobility Client v4.x page.
Prophaze vs Radware A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from evolving
Prophaze vs F5 A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from evolving
Prophaze vs Akamai A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from evolving
Prophaze vs Imperva A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from evolving
Prophaze vs Azure A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from evolving
Prophaze vs AWS A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from evolving
Prophaze vs Cloud Armor A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from
Prophaze vs Cloudflare A Comprehensive Comparison At Prophaze, we understand the critical importance of safeguarding your digital assets from evolving
What is Session Hijacking? Session Hijacking is the type of attack in which the attacker takes over or hijacks a
The OWASP Top 10 API security is a classification of the most common attacks on the web. The vulnerabilities exploited
Prophaze Pricing Prophaze WAF Pricing is based on the feature set, type of deployment, and the volume of traffic consumed
The following table lists Cisco products that are affected by the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.
Product
Cisco Bug ID
Fixed Release Availability
Cisco Adaptive Security Appliance (ASA) SoftwareAffected features: Clientless WebVPN and AnyConnect VPN (only when SSO is enabled)
CSCvx73164
9.8.4.38 (Jun 2021)9.12.4.24 (available)9.14.3 (Jun 2021)9.15.1.15 (available)9.16.1.3 (available)
Cisco Content Security Management Appliance (SMA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73156
13.8.1 (available)14.1.0 (Jul 2021)
Cisco Email Security Appliance (ESA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73154
14.0.0-692 GD (available)
Cisco FXOS Software
CSCvx73164
2.2.2.149 (Jul 2021)2.3.1.216 (Jul 2021)2.6.1.230 (Jul 2021)2.7.1.143 (available)2.8.1.152 (available)2.9.1.143 (available)
Cisco Web Security Appliance (WSA)
CSCvx73157
14.0.1 (Sep 2021)
Cisco Firepower Threat Defense (FTD) SoftwareAffected feature: AnyConnect VPN (only when SSO is enabled)1
CSCvx73164
6.4.0.12 (available)6.6.5 (Jul 2021)6.7.0.2 (available)7.0.0 (available)
Cisco Prime Collaboration Assurance
CSCvx73162
12.1 SP4 ES (TBD)
1. The AnyConnect VPN is configurable only through FlexConfig for Cisco FTD releases earlier than Release 6.7.
The Cisco software releases listed in the following table have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.
Cisco Software
End-of-Life Releases
ASA Software
9.7 and earlier9.99.109.13
FXOS Software
2.4.12.7.1
FTD Software
6.0.1 and earlier 6.2.06.2.16.5
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products and services:
Network and Content Security Devices
Cisco AMP Virtual Private Cloud Appliance
Network Management and Provisioning
Cisco Prime Collaboration Provisioning
Unified Computing
Cisco UCS B-Series M5 Blade Servers
Cisco UCS C-Series M5 Rack Servers – Managed
Video, Streaming, TelePresence, and Transcoding Devices
Cisco Video Surveillance Media Server
Cisco Video Surveillance Operations Manager
Cisco Vision Dynamic Signage Director
Mid-Market Secure, Simpler, and Safer Prophaze WAF 3.0 is a Distributed proactive web security platform designed to defend against several
Overview : Cisco Firepower Management Center Remote Code Execution Vulnerability CWE-20 / CVE-2019-12689 A vulnerability in the web-based management interface