Cisco Secure Desktop ActiveX multiple security vulnerabilities

[EN] securityvulns.ru
no-pyccku

Cisco Secure Desktop ActiveX multiple security vulnerabilities
Published: 24.02.2011
Source: BUGTRAQ
SecurityVulns ID: 11456
Type: client
Level: 6/10
Description: Few code execution possibilities.

CVE: CVE-2011-0926 (A certain ActiveX control in CSDWebInstaller.ocx in Cisco Secure Desktop (CSD) does not properly verify the signature of an unspecified downloaded program, which allows remote attackers to execute arbitrary code by spoofing the CSD installation process, a different vulnerability than CVE-2010-0589.)
CVE-2011-0925 (The CSDWebInstallerCtrl ActiveX control in CSDWebInstaller.ocx in Cisco Secure Desktop (CSD) allows remote attackers to download an unintended Cisco program onto a client machine, and execute this program, by identifying a Cisco program with a Cisco digital signature and then renaming this program to inst.exe, a different vulnerability than CVE-2010-0589 and CVE-2011-0926.)

Original document ZDI, ZDI-11-092: (0day) Cisco Secure Desktop CSDWebInstaller ActiveX Control Cleaner.cab Remote Code Execution Vulnerability (24.02.2011)

ZDI, ZDI-11-091: (0day) Cisco Secure Desktop CSDWebInstaller Remote Code Execution Vulnerability (24.02.2011)

Discuss: Read or add your comments to this news (0 comments)