Cisco yesterday released updates for vulnerabilities in its ASA and CATALYST line, its ACE appliances and its AnyConnect VPN client. The most severe vulnerability with a CVSS score of 9.3 is found in the AnyConnect VPN client. The vulnerability in the WebLaunch software update mechanism component allows the attacker to deploy arbitrary code on the target machine. The attacker needs to setup a malicious webpage and lure the target to the malicious webpage in order to trigger the download.
Software update mechanisms have increasingly come under scrutiny over the last few years as they represent an ideal attack vector for malicious code installations. Bellisimo, Burgess and Fu published their "Secure Software Update – Disappointments and New Challenges" paper at Usenix 2006. A year later in 2007 at ekoparty Franciso Amato introduced the "evilgrade" toolkit that provides a framework to implement update exploits, see his presentation at Defcon 18 in 2010 for an overview. In 2008 Sun addressed a Java updater flaw reported by Amato and last year Apple patched an iTunes problem that was abused by the law-enforcement FinFisher trojan. Microsoft is currently in the process of hardening its update system as a result of its abuse by the "Flame" malware.
We recommend installing this update as soon as possible. Cisco credits HP’s Zero Day Initiative with the discovery of this vulnerability.