Cisco AnyConnect VPN and Microsoft ActiveX Killbits

AnyConnect ActiveX

Last night I went to shut down my Windows 7 64-bit computer and agreed to the “Install updates and shut down” option. When my system came back up I noticed that I could no longer launch my Cisco AnyConnect VPN client from Internet Explorer – ActiveX was failing. Oh great.

AnyConnect and ActiveX Killbits

Back in March 2012 a vulnerability was publicized for the Cisco AnyConnect ActiveX control. Cisco’s Security Advisory¬†said:

The Cisco Clientless VPN solution as deployed by Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX control on client systems to perform port forwarding operations. Microsoft Windows-based systems that are running Internet Explorer or another browser that supports Microsoft ActiveX technology may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser.

The affected ActiveX control is distributed to endpoint systems by Cisco ASA. However, the impact of successful exploitation of this vulnerability is to the endpoint system only and does not compromise Cisco ASA devices.

That’s not good, of course. The workarounds offered by Cisco were to either install an ASA software update or to make registry changes that disable the ActiveX control – that is, to set the kill bit for the control.

However, even if you had not taken either action, you would likely not have had any issue with the software because there was nothing to stop you continuing to run what you already had, and unless you manually set the killbit, the control would continue to function. Microsoft helpfully sent out an update though (KB2675157) that rolled up a number of security updates including ActiveX Killbits. This clearly caused some problems, as noted in the Spiceworks thread “Microsoft Update KB2675157 breaks Cisco AnyConnect VPN“.

Interestingly, I checked my system for that update and indeed it was installed in April:

Update Install Log

Latest Windows Updates

I say interestingly, because this did not stop me running the AnyConnect VPN client via a web page, and in fact, it has worked just fine until today. This made me go check my Windows update history to see what was actually installed last night, and I found this:

Windows Update - KB2736233

KB2736233 is an “Update Rollup for ActiveX Kill Bits” and in the Microsoft Security Advisory, it says:

This update sets the kill bits for the following third-party software:

  • Cisco Secure Desktop. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Secure Desktop ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco Hostscan. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Hostscan ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco AnyConnect Secure Mobility Client. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco AnyConnect Secure Mobility Client ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.

So this time, a very specific set of kill bits are set at Cisco’s request. Unfortunately (depending on your perspective), they have worked. The related Cisco Security Advisory¬†(cisco-sa-20120620-ac) from June 20, was last updated September 7, 2012. Again, ASA software updates are the order of the day if you want to fix it.

Symptoms: It Doesn’t Work

I should clarify that the circumstances in which the AnyConnect client fails are triggered when you try to launch it from an IE web page. If you just run the client and have the profile already loaded, it works fine. However, as I swap between various client VPNs, I usually end up using the web login for each so that it populates the server details automatically, and when I try now I get this:

AnyConnect Launch 1

AnyConnect Launch 2

AnyConnect Launch 3

Groovy, right?

Solutions?

I guess getting the ASA owner to upgrade so I can use a newer client. As I mentioned, running the installed client directly is no problem – it’s just the ActiveX launcher that fails. Still, I thought I’d mention this as it’s something that will likely be hitting support desks all over the place…

 

Additional Links (Updated Sept 25, 2012)

A colleague at work mentioned that he had also had problems with AnyConnect under Windows 8, receiving a “The VPN Client Driver encoutered an error” message. There’s a great (and brief) write up of the problem – and the solution – over on ExhangeGeek.

17 Comments on Cisco AnyConnect VPN and Microsoft ActiveX Killbits

  1. Thanks for the detailed explanation. I have had this problem for the last week, and there is not much info out there yet. I didn’t realize I could just launch the client. Works fine that way. I hate to run without all updates installed in today’s environment. I will pass this along.

  2. Thanks for the very useful explanation. You mentioned that a workaround was to launch the client directly and load the profile. This works fine in most cases, however I had a particular case where this didn’t work either, presumably due to the way the particular VPN was set up. In case it might be of use for others – I found that in order to get this to work, I had to a) go via the web client through Firefox; b) ensure that the Java runtime environment was the very latest version (1.7.0_07); c) disable a setting in the Java Control Panel: Advanced / Security / General / Enable blacklist revocation check (I can’t vouch for whether that’s a good idea or not…)

    • That’s helpful info, thanks! The Java security problem might be the reason I cannot get it to launch via Java either – right now using the web interface fails in every browser for me. I have no idea if that’s a good idea either (it does sound, off hand, like a “bad thing”, but it’s progress at least!

      Thanks, Neil.

    • Hi Rich,

      The solution really is to upgrade the ASA so it offers you a newer client that isn’t affected by the killbits.

      Meanwhile, if your problem is that you connect to multiple sites using the web interface and you rely on web interface to configure your client each time, you can manually store profiles (in Win7) by going to C:usersAll UsersCiscoCisco AnyConnect VPN ClientProfile, copying “AnyConnectProfile.tmpl” to a new file and changing the extension to XML – e.g. call it “MyProfiles.xml”. Edit that file and find the part that begins <HostEntry>. You can edit those based on the examples given to add in each of the systems you connect to, e.g.

      When you run the client now, you can choose Company 1 or Company 2 from the drop down, and it’ll connect. You can choose login groups at the same time as entering your password..

  3. John, both solutions helped me out. I was tearing my hair out on trying to figure this out. I had installed the latest client on my PC but, not configured the ASA to serve it up. Once that was in place it worked as advertised. Thank you.

    • It’s /a/ solution, but since it leaves you exposed to what would appear to be fairly bad vulnerability (enough to justify asking Microsoft to issue a kilobits patch), I’d call it a workaround not a solution personally, and one with a big potential down side.

  4. Hi guys,
    i have the same problem with installation Cisco VPN client in Windows 7 and IE 9.
    I have solve with uninstall the KB2695962 and KB2736233.
    Thanks for all !

    • Hi,

      I would say “workaround” – as with a previous comment, by “resolving” the problem you are intentionally exposing your system to a bad vulnerability.

      The real solution is to upgrade the software offered by the VPN device.

      • Hi John,

        after install Cisco VPN client i have reinstall the KB2695962 and KB2736233.

        I don’t have permission for upgrade ios in the Cisco firewall.

        Bye.

  5. I work for a company and we got this same error while downloading Cisco any connect to install it Then when I try the manual setup I receive error There is a problem with this Windows Installer package A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor
    running OS Windows 7 64 bits
    Any Suggestion?

    Thanks and regards

  6. Hi I am getting the following error messages while accessing /installing the client via web. Does someone have details on how to make the anyconnect client work on windows 7? Thanks
    ************************************************************************************
    Service “Cisco AnyConnect Secure Mobility Agent” (vpnagent) failed to start. Verify that you have sufficient privileges to start system services.
    *********************************************************************************
    Web-based installation was unsuccessful. If you wish to install the Cisco AnyConnect Secure

    Mobility Client, you may download an installer package.
    Install using the link below:
    Windows 7/Vista/64/XP

    Alternatively, retry the automatic installation.
    ***************************************************************************************
    “The VPN client agent was unable to create the interprocess communication depot.”

    • Well, the obvious questions based on that error are:

      1) Do you have full administrative permissions on your computer?

      2) Have you tried downloading the installer package? Are the results any different when you do?

Leave a Reply

Your email address will not be published.


*


 

This site uses Akismet to reduce spam. Learn how your comment data is processed.