Search Results for: vpn client

Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 with no additional configuration required. See the Recommendations section for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes or Configuration Guide.
The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

AnyConnect Secure Mobility Client Software Release
AnyConnectLocalPolicy.xml Settings
Instructions

Earlier than 4.9.04053

Previously deployed AnyConnectLocalPolicy.xml settings:

BypassDownloader= true

New AnyConnectLocalPolicy.xml settings:

BypassDownloader=false

Upgrade to 4.10 using a predeploy method.
Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.

4.9.04053, 4.9.05042, 4.9.06037

Previously deployed AnyConnectLocalPolicy.xml settings:

RestrictScriptWebDeploy=true
RestrictHelpWebDeploy=true
RestrictResourceWebDeploy=true
RestrictLocalizationWebDeploy=true
BypassDownloader=false

New AnyConnectLocalPolicy.xml settings:

RestrictScriptWebDeploy=false
RestrictHelpWebDeploy=false
RestrictResourceWebDeploy=false
RestrictLocalizationWebDeploy=false
BypassDownloader=false

Upgrade to 4.10 using either a predeploy or webdeploy method.
Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.

1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.

Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
For customers who have already applied the RestrictScriptWebDeploy workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment. 
There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes or Cisco bug ID CSCvw48062. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.

RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy

The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/

Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
false
false
false
false

Change that setting to true, as shown in the following example:
true
true
true
true

Verify that the BypassDownloader setting is correct by looking for the following line:

false

If the BypassDownloader setting is true, change it to false, as shown in the following example:

false

Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.

Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053
For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:

All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.

The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:

false

Change that setting to true, as shown in the following example:

true

Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco AnyConnect Secure Mobility Client for Windows, MacOS, and Linux releases 4.10.00093 and later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
To download the software from the Software Center on Cisco.com, do the following:

Click Browse all.
Choose Security  > VPN and Endpoint Security Clients  > Cisco VPN Clients  > AnyConnect Secure Mobility Client  > AnyConnect Secure Mobility Client v4.x.
Choose the release from the left pane of the AnyConnect Secure Mobility Client v4.x page.

The following table lists Cisco products that are affected by the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.

Product
Cisco Bug ID
Fixed Release Availability

Cisco Adaptive Security Appliance (ASA) SoftwareAffected features: Clientless WebVPN and AnyConnect VPN (only when SSO is enabled)
CSCvx73164
9.8.4.38 (Jun 2021)9.12.4.24 (available)9.14.3 (Jun 2021)9.15.1.15 (available)9.16.1.3 (available)

Cisco Content Security Management Appliance (SMA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73156
13.8.1 (available)14.1.0 (Jul 2021)

Cisco Email Security Appliance (ESA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73154
14.0.0-692 GD (available)

Cisco FXOS Software
CSCvx73164
2.2.2.149 (Jul 2021)2.3.1.216 (Jul 2021)2.6.1.230 (Jul 2021)2.7.1.143 (available)2.8.1.152 (available)2.9.1.143 (available)

Cisco Web Security Appliance (WSA)

CSCvx73157
14.0.1 (Sep 2021)

Cisco Firepower Threat Defense (FTD) SoftwareAffected feature: AnyConnect VPN (only when SSO is enabled)1

CSCvx73164
6.4.0.12 (available)6.6.5 (Jul 2021)6.7.0.2 (available)7.0.0 (available)

Cisco Prime Collaboration Assurance
CSCvx73162
12.1 SP4 ES (TBD)

1. The AnyConnect VPN is configurable only through FlexConfig for Cisco FTD releases earlier than Release 6.7.
The Cisco software releases listed in the following table have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.

Cisco Software
End-of-Life Releases

ASA Software
9.7 and earlier9.99.109.13

FXOS Software
2.4.12.7.1

FTD Software
6.0.1 and earlier 6.2.06.2.16.5

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products and services:
Network and Content Security Devices

Cisco AMP Virtual Private Cloud Appliance

Network Management and Provisioning

Cisco Prime Collaboration Provisioning

Unified Computing

Cisco UCS B-Series M5 Blade Servers
Cisco UCS C-Series M5 Rack Servers – Managed

Video, Streaming, TelePresence, and Transcoding Devices

Cisco Video Surveillance Media Server
Cisco Video Surveillance Operations Manager
Cisco Vision Dynamic Signage Director