Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stops working

We have a Cisco ASA 5510 with Clientless SSL VPN portal. I just found that after installing the last Microsoft Updates, RDP bookmarks stopped working. It keeps asking that I should install Cisco Portforwarder control, and then goes back to the home page. I changed all security settings, tried to install the control manually, but nothing works. Finally, I found that after uninstalling Internet Explorer 8 update KB2675157 it works again.

Is this a known problem?

I just tested it on Windows XP with IE 8, I don't know if the problem happens in other platforms.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

Good Afternoon,

   The issue you are running into is not caused by KB2675157.  This behavior was deliberately introduced by KB

2695962.

As documented in:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient

The Cisco PSIRT asked Microsoft to set the Global Kill-Bit for the Cisco ActiveX Port Forwarder control on March 14th, 2012.    Microsoft pushed the kill-bit for the vulnerable control in the May, 2012 Microsoft Tuesday patch bundle (May 8th, 2012).

Customers should upgrade to one of the Recommended or Later releases as listed bellow.  The Recommended releases include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability as well as those disclosed in the ASA Client advisory.

Affected Version First Fixed Release Recommended Release
Cisco ASA 7.0 Not VulnerableMigrate to 7.2 or later
Cisco ASA 7.1 VulnerableVulnerable; Migrate to 7.2 or later
Cisco ASA 7.2 7.2(5.6)7.2(5.7)
Cisco ASA 8.0 8.0(5.26)Migrate to 8.2(5.26) or later
Cisco ASA 8.1 8.1(2.53)Migrate to 8.2(5.26) or later
Cisco ASA 8.2 8.2(5.18)8.2(5.26)
Cisco ASA 8.3 8.3(2.28)Migrate to 8.4(3.8) or later
Cisco ASA 8.48.4(2.16)8.4(3.8)
Cisco ASA 8.5Not Vulnerable8.5(1.7)
Cisco ASA 8.68.6(1.1)8.6(1.1)

Once the affected control has been upgraded by starting a Clientless VPN session on an ASA that contains fixed software, it will be used in all sessions.  This including those with ASA devices that may not be running the updated software.

Cheers,

-Troy

7 REPLIES
New Member

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

Ok, I found it. The problem is not KB2675157, but kb2695962  (both are uninstalled when you delete KB2675157)

Here is the explanation from microsoft http://technet.microsoft.com/en-us/security/advisory/2695962 and here the solution from Cisco http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient

In my case I have ASA 8.4(2) so I should upgrade.

New Member

Re: After Windows Update KB2675157 ActiveX RDP throught SSL VPN

Having the same problem, since the update is from MAY and the Cisco fix from MARCH i guess they wont work.

i updated to the latest 8.3.4 - did not make a difference - problem is still there.

And yeah, its the Active X Killbit update from 8th of May. ONce its uninstalled, RDP works fine (with ActiveX)

RDP session with java is not affected

I assume your update did not carry the expected result?

-Markus-

      

FIXED

ASA Interim Release 8.4.3.9 fixed all RDP ActiveX Problems

New Member

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

Great! users were complaining about this from last week! Thanks for the  explanation

New Member

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

I just updated to 8.3.4 and it works ok. When I tried to open the RDP bookmark from I.Explorer it asked to install the Cisco Portforwarder complement, I did it and when I tried to open it again it connected ok, then I installed the Windows Updates again and it keeps working. It still doesn't work for you?

New Member

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

We had to manually remove the CISCO Portforwarder Control manually because it did not appear to be cleaning the old one out. We are running 8.2 code though on a 5580.

Cisco Employee

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

Good Afternoon,

   The issue you are running into is not caused by KB2675157.  This behavior was deliberately introduced by KB

2695962.

As documented in:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient

The Cisco PSIRT asked Microsoft to set the Global Kill-Bit for the Cisco ActiveX Port Forwarder control on March 14th, 2012.    Microsoft pushed the kill-bit for the vulnerable control in the May, 2012 Microsoft Tuesday patch bundle (May 8th, 2012).

Customers should upgrade to one of the Recommended or Later releases as listed bellow.  The Recommended releases include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability as well as those disclosed in the ASA Client advisory.

Affected Version First Fixed Release Recommended Release
Cisco ASA 7.0 Not VulnerableMigrate to 7.2 or later
Cisco ASA 7.1 VulnerableVulnerable; Migrate to 7.2 or later
Cisco ASA 7.2 7.2(5.6)7.2(5.7)
Cisco ASA 8.0 8.0(5.26)Migrate to 8.2(5.26) or later
Cisco ASA 8.1 8.1(2.53)Migrate to 8.2(5.26) or later
Cisco ASA 8.2 8.2(5.18)8.2(5.26)
Cisco ASA 8.3 8.3(2.28)Migrate to 8.4(3.8) or later
Cisco ASA 8.48.4(2.16)8.4(3.8)
Cisco ASA 8.5Not Vulnerable8.5(1.7)
Cisco ASA 8.68.6(1.1)8.6(1.1)

Once the affected control has been upgraded by starting a Clientless VPN session on an ASA that contains fixed software, it will be used in all sessions.  This including those with ASA devices that may not be running the updated software.

Cheers,

-Troy

New Member

After Windows Update KB2675157 ActiveX RDP throught SSL VPN stop

ASA Interim Release 8.4.(3.9) fixed all my RDP ActiveX issues i had after the MS update.

39523
Views
5
Helpful
7
Replies
CreatePlease to create content