Last night I went to shut down my Windows 7 64-bit computer and agreed to the “Install updates and shut down” option. When my system came back up I noticed that I could no longer launch my Cisco AnyConnect VPN client from Internet Explorer – ActiveX was failing. Oh great.
AnyConnect and ActiveX Killbits
Back in March 2012 a vulnerability was publicized for the Cisco AnyConnect ActiveX control. Cisco’s Security Advisory said:
Refer to Clientless SSL VPN (WebVPN) on ASA Configuration Example in order to learn more about the Clientless SSL VPN. Thin-Client SSL VPN (Port Forwarding). The latest version of the SUN Java JRE is available as a free download from the Java. Cisco Adaptive Security Appliance 5510 series. Cisco Adaptive Security Device Manager (ASDM) 5.2.
The Cisco Clientless VPN solution as deployed by Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX control on client systems to perform port forwarding operations. Microsoft Windows-based systems that are running Internet Explorer or another browser that supports Microsoft ActiveX technology may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser.
The affected ActiveX control is distributed to endpoint systems by Cisco ASA. However, the impact of successful exploitation of this vulnerability is to the endpoint system only and does not compromise Cisco ASA devices.
That’s not good, of course. The workarounds offered by Cisco were to either install an ASA software update or to make registry changes that disable the ActiveX control – that is, to set the kill bit for the control.
However, even if you had not taken either action, you would likely not have had any issue with the software because there was nothing to stop you continuing to run what you already had, and unless you manually set the killbit, the control would continue to function. Microsoft helpfully sent out an update though (KB2675157) that rolled up a number of security updates including ActiveX Killbits. This clearly caused some problems, as noted in the Spiceworks thread “Microsoft Update KB2675157 breaks Cisco AnyConnect VPN“.
Interestingly, I checked my system for that update and indeed it was installed in April:
Latest Windows Updates
I say interestingly, because this did not stop me running the AnyConnect VPN client via a web page, and in fact, it has worked just fine until today. This made me go check my Windows update history to see what was actually installed last night, and I found this:
KB2736233 is an “Update Rollup for ActiveX Kill Bits” and in the Microsoft Security Advisory, it says:
This update sets the kill bits for the following third-party software:
![Cisco ssl vpn port forwarder activex free download Cisco ssl vpn port forwarder activex free download](http://www.cisco.com/c/dam/en/us/td/i/100001-200000/120001-130000/127001-128000/127411.tif/_jcr_content/renditions/127411.jpg)
- Cisco Secure Desktop. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Secure Desktop ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
- Cisco Hostscan. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Hostscan ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
- Cisco AnyConnect Secure Mobility Client. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco AnyConnect Secure Mobility Client ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
So this time, a very specific set of kill bits are set at Cisco’s request. Unfortunately (depending on your perspective), they have worked. The related Cisco Security Advisory (cisco-sa-20120620-ac) from June 20, was last updated September 7, 2012. Again, ASA software updates are the order of the day if you want to fix it.
Symptoms: It Doesn’t Work
I should clarify that the circumstances in which the AnyConnect client fails are triggered when you try to launch it from an IE web page. If you just run the client and have the profile already loaded, it works fine. However, as I swap between various client VPNs, I usually end up using the web login for each so that it populates the server details automatically, and when I try now I get this:
Groovy, right?
Solutions?
I guess getting the ASA owner to upgrade so I can use a newer client. As I mentioned, running the installed client directly is no problem – it’s just the ActiveX launcher that fails. Still, I thought I’d mention this as it’s something that will likely be hitting support desks all over the place…
Additional Links (Updated Sept 25, 2012)
A colleague at work mentioned that he had also had problems with AnyConnect under Windows 8, receiving a “The VPN Client Driver encoutered an error” message. There’s a great (and brief) write up of the problem – and the solution – over on ExhangeGeek.