[c-nsp] Cisco Security Advisory: Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability
Cisco Systems Product Security Incident Response Team
psirt at cisco.com
Wed Apr 15 12:03:40 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Cisco Security Advisory: Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability
Advisory ID: cisco-sa-20150415-csd
Revision 1.0
For Public Release 2015 April 15 16:00 UTC (GMT)
+----------------------------------------------------------------------
Summary
=======
A vulnerability in a Cisco-signed Java Archive (JAR) executable Cache Cleaner component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .jar file is executed. Command execution would occur with the privileges of the user.
The Cache Cleaner feature has been deprecated since November 2012.
There is no fixed software for this vulnerability. Cisco Secure Desktop packages that includes the affected .jar files have been removed and are not anymore available for download.
Because Cisco does not control all existing Cisco Secure Desktop packages customers are advised to ensure to ensure that their Java blacklists controls have been updated to avoid potential exploitation. Refer to the "Workarounds" section of this advisory for additional information on how to mitigate this vulnerability.
Customers using Cisco Secure Desktop should migrate to Cisco Host Scan standalone package.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVLoBCAAoJEIpI1I6i1Mx3jqoP/3YokxHktgbCs1FMmWGpsAQy
QYUf80APQYeDDmkPNVoYgD7dgYWrohukrVtfjrM1hJ5DYFWV6LZiWSJYQy/RZbRz
2FWPJc2NoAXZZVUwk/QUFg5rBsaBJ8UW8E1+TkLjiG6fDTgq4KABfUzVBAoj7/R2
iiTuagamL5xuVEJouY+HbrKHBIxOn4FpFVOoWE/Ah1nvGOQe2U/R3Ws9wMvCCoFA
+jkSWMjody88RUxykHqkQSz7jjIKCPMQEN6zuMCD6lnbzF39HTMLNdyNf40bnDcJ
C8FakUnT0ULBiwCqdRiNoxs6g6yaaA+y9yPynTXQEOAuxu1vSQoiVvZZ+U6Rzr+7
ot3tO0CmlweY0joL9bqTLvPvf7uM2IHqrwhqmhii7NPq1BXmrKeYQSF2EJghhe3t
0+ACNmEdL/xmP71sNOKSeZnSVJU6yTfENx08LeP5vTqqOqUwSO/oK72OAfuY5CmY
X6dDP2C4AolnecYuO12r4ig69qKsopuAQxV12eq6qENu/RkTF7Sk3ToF2fOfupEJ
t6l2V1IzSVmKbix1rqBTzmnEMTe0Rg0YY1sZAN0otDZUZe61cn3iL+vKX1/ScvaU
ISE6scZ7d/F9bfcrruw1Q38UvmqrZ8ojp5hJ0EL7nixlIdN3dTmsqfK6LrT9sX4/
Iim9WdrACjZ91xLsKO0X
=E1eG
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list