Squashed commit of the following:

commit a78b6142449b71ccd1cd7061b5363f6882b2e00b Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:19:22 2014 -0400 fix indentation commit 5e61eba30f98343fb172687bd377acae6cb9e242 Merge: d446fa7 9696dd5 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:15:50 2014 -0400 Merge branch 'master' into anyconnect commit d446fa76181d97287604b48719dd3f714987b775 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:15:09 2014 -0400 Update CHANGELOG commit 1590b8a8598bfd06c767c31312dc56c8e306c556 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:13:27 2014 -0400 update script.db commit 93eb927e21d3e3702da36668628b70c42f14f0db Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:09:51 2014 -0400 update anyconnect library to better capture version add missing libraries http-cisco-anyconnect.nse add new scripts to detect vulnerabilities cve2014-2126 through 2129 commit 92fecad07d340e60abbe502a4541d6e4f71af224 Author: Patrik Karlsson <patrik@cqure.net> Date: Sat May 24 09:09:14 2014 -0400 initial commit
2025-12-12 18:59:03 +00:00 · 2014-05-26 01:28:38 +00:00
parent 81b5ef8e99
commit c950dcb154
8 changed files with 537 additions and 0 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Add Cisco Anyconnect library and scripts http-cisco-anyconnect,
+  http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
+  http-vuln-cve2014-2129. [Patrik Karlsson]
+
 o [NSE] Add enip-info script to get device information from SCADA/ICS devices
  via EtherNet/IP [Stephen Hilt]

--- a/nselib/anyconnect.lua
+++ b/nselib/anyconnect.lua
@@ -0,0 +1,146 @@
+---
+-- This library implements HTTP requests used by the Cisco AnyConnect VPN Client
+--
+-- @author "Patrik Karlsson <patrik@cqure.net>"
+--
+-- @args anyconnect.group AnyConnect tunnel group (default: VPN)
+-- @args anyconnect.mac MAC address of connecting client (default: random MAC)
+-- @args anyconnect.version Version of connecting client (default: 3.1.05160)
+-- @args anyconnect.ua User Agent of connecting client (default: AnyConnect Darwin_i386 3.1.05160)
+
+local http = require('http')
+local stdnse = require('stdnse')
+local url = require('url')
+local math = require('math')
+local table = require('table')
+local os = require('os')
+local string = require('string')
+
+local args_group= stdnse.get_script_args('anyconnect.group') or "VPN"
+local args_mac= stdnse.get_script_args('anyconnect.mac')
+local args_ver = stdnse.get_script_args('anyconnect.version') or "3.1.05160"
+local args_ua = stdnse.get_script_args('anyconnect.ua') or ("AnyConnect Darwin_i386 %s"):format(args_ver)
+
+_ENV = stdnse.module("anyconnect", stdnse.seeall)
+
+Cisco = {
+
+  Util = {
+
+    generate_mac = function()
+      math.randomseed(os.time())
+      local mac = {}
+      for i=1,6 do
+        mac[#mac + 1] = (("%x"):format(math.random(255))):gsub(' ', '0');
+      end
+      return table.concat(mac,':')
+    end,
+
+  },
+  
+  AnyConnect = {
+
+    new = function(self, host, port)
+      local o = { host = host, port = port }
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+    
+    -- generate a random hex-string of length 'length'
+    --
+    generate_random = function(length)
+      local rnd = ""
+
+      for i=1, length do
+        rnd = rnd .. string.format("%.2X", math.random(255))
+      end
+      return rnd
+    end,
+
+    connect = function(self)
+      args_mac = args_mac or Cisco.Util.generate_mac()
+      local headers = {
+        ['User-Agent'] = args_ua,
+        ['Accept'] = '*/*',
+        ['Accept-Encoding'] = 'identity',
+        ['X-Transcend-Version'] = 1,
+        ['X-Aggregate-Auth'] = 1,
+        ['X-AnyConnect-Platform'] = 'mac-intel'
+      }
+
+      local data = ([[<?xml version="1.0" encoding="UTF-8"?>
+<config-auth client="vpn" type="init" aggregate-auth-version="2">
+<version who="vpn">%s</version>
+<device-id device-type="MacBookAir4,1" platform-version="10.9.2" unique-id="%s">mac-intel</device-id>
+<mac-address-list>
+<mac-address>%s</mac-address></mac-address-list>
+<group-select>%s</group-select>
+<group-access>https://%s:%s</group-access>
+</config-auth>]]):format(args_ver, self.generate_random(64), args_mac, args_group, self.host.ip, self.port.number)
+
+      local options = { header=headers , no_cache=true, redirect_ok = function(host,port)
+          local c = 5
+          return function(url)
+            if ( c==0 ) then return false end
+            c = c - 1
+            return true
+          end
+        end
+      }
+
+
+      local response = http.head(self.host, self.port, '/', options)
+      -- account for redirects
+      if not response.status == 200 then
+        return false, "Failed to connect to SSL VPN server"
+      elseif response.location then
+        local u = url.parse(response.location[#response.location])
+        self.host = u.host
+      end
+
+      response = http.post(self.host, self.port, '/', options, nil, data)
+
+      if response.status ~= 200 or response.body == nil then
+        return false, "Error in SSL VPN server response"
+      end
+
+      local xmltags = {
+        'version',
+        'tunnel-group',
+        'group-alias',
+        'config-hash',
+        'host-scan-ticket',
+        'host-scan-token',
+        'host-scan-base-uri',
+        'host-scan-wait-uri',
+        'banner'
+      }
+
+      self.conn_attr = {}
+      for _, tag in ipairs(xmltags) do
+        local body = response.body:gsub('\r?\n', '')
+        local filter = ("<%s.->(.*)</%s>"):format(tag:gsub('-', '%%-'), tag:gsub('-', '%%-'))
+        local m = body:match(filter)
+        if m then
+          self.conn_attr[tag] = m
+        end
+      end
+      -- in case we were redirected
+      self.conn_attr['host'] = stdnse.get_hostname(self.host)
+      return true
+    end,
+
+    ---
+    -- Returns the version of the remote SSL VPN concentrator
+    -- @return table containing major, minor and rev numeric values
+    get_version = function(self)
+      local ver = {}
+      ver['major'], ver['minor'], ver['rev'] = self.conn_attr['version']:match('^(%d-)%.(%d-)%((.*)%)$')
+      return ver
+    end
+
+  }
+}
+
+return _ENV
--- a/scripts/http-cisco-anyconnect.nse
+++ b/scripts/http-cisco-anyconnect.nse
@@ -0,0 +1,59 @@
+local anyconnect = require('anyconnect')
+local stdnse = require('stdnse')
+local shortport = require('shortport')
+local nmap = require('nmap')
+local sslcert = require('sslcert')
+
+description = [[
+Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version
+and tunnel information.
+]]
+
+---
+-- @usage
+-- nmap -p 443 --script http-cisco-anyconnect <target>
+--
+-- @output
+-- PORT    STATE SERVICE REASON
+-- 443/tcp open  https   syn-ack
+-- | http-cisco-anyconnect: 
+-- |   version: 9.1(5)
+-- |   tunnel-group: VPN
+-- |   group-alias: vpn
+-- |   config-hash: 7328433471719
+-- |_  host: vpn.example.com
+--
+-- @xmloutput
+-- <elem key="version">9.1(5)</elem>
+-- <elem key="tunnel-group">VPN</elem>
+-- <elem key="group-alias">vpn</elem>
+-- <elem key="config-hash">7328433471719</elem>
+-- <elem key="host">vpn.example.com</elem>
+--
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+end
+
+action = function(host, port)
+  local ac = anyconnect.Cisco.AnyConnect:new(host, port)
+  local status = ac:connect()
+  if status then
+    local o = stdnse.output_table()
+    local xmltags = { 'version', 'tunnel-group', 'group-alias',
+      'config-hash', 'host-scan-ticket', 'host-scan-token',
+      'host-scan-base-uri', 'host-scan-wait-uri', 'host' }
+
+    -- add login banner if running in debug mode
+    if nmap.verbosity() > 2 then xmltags[#xmltags] = 'banner' end
+
+    for _, tag in ipairs(xmltags) do
+      o[tag] = ac.conn_attr[tag]
+    end
+    return o
+  end
+end
--- a/scripts/http-vuln-cve2014-2126.nse
+++ b/scripts/http-vuln-cve2014-2126.nse
@@ -0,0 +1,81 @@
+local anyconnect = require('anyconnect')
+local stdnse = require('stdnse')
+local shortport = require('shortport')
+local vulns = require('vulns')
+local sslcert = require('sslcert')
+
+description = [[
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126).
+]] 
+
+---
+-- @usage
+-- nmap -p 443 --script http-vuln-cve2014-2126 <target>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 443/tcp open  https
+-- | http-vuln-cve2014-2126: 
+-- |   VULNERABLE:
+-- |   Cisco ASA ASDM Privilege Escalation Vulnerability
+-- |     State: VULNERABLE
+-- |     Risk factor: High  CVSSv2: 8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C)
+-- |     Description:
+-- |       Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47), 8.4 before 8.4(7.5), 8.7 before 8.7(1.11), 9.0 before 9.0(3.10), and 9.1 before 9.1(3.4) allows remote authenticated users to gain privileges by leveraging level-0 ASDM access, aka Bug ID CSCuj33496.
+-- |           
+-- |     References:
+-- |       http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
+-- |_      http://cvedetails.com/cve/2014-2126/
+
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
+
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+end
+
+action = function(host, port)
+  local vuln_table = {
+    title = "Cisco ASA ASDM Privilege Escalation Vulnerability",
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "High",
+    scores = {
+      CVSSv2 = "8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C)",
+    },
+    description = [[
+Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47), 8.4 before 8.4(7.5), 8.7 before 8.7(1.11), 9.0 before 9.0(3.10), and 9.1 before 9.1(3.4) allows remote authenticated users to gain privileges by leveraging level-0 ASDM access, aka Bug ID CSCuj33496.
+    ]],
+
+    references = {
+      'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa',
+      'http://cvedetails.com/cve/2014-2126/'
+    }
+  }
+
+  local vuln_versions = {
+  	['8'] = {
+  		['2'] = 5.47,
+  		['4'] = 7.5,
+  		['7'] = 1.11,
+  	},
+  	['9'] = {
+  		['0'] = 3.10,
+  		['1'] = 3.4,
+  	},
+	}
+
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	local ac = anyconnect.Cisco.AnyConnect:new(host, port)
+	local status = ac:connect()
+	if status then
+  	local ver = ac:get_version()
+		if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then
+			if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then
+				vuln_table.state = vulns.STATE.VULN
+			end
+		end
+  end
+  return report:make_output(vuln_table)
+end
--- a/scripts/http-vuln-cve2014-2127.nse
+++ b/scripts/http-vuln-cve2014-2127.nse
@@ -0,0 +1,81 @@
+local anyconnect = require('anyconnect')
+local stdnse = require('stdnse')
+local shortport = require('shortport')
+local vulns = require('vulns')
+local sslcert = require('sslcert')
+
+description = [[
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127).
+]] 
+
+---
+-- @usage
+-- nmap -p 443 --script http-vuln-cve2014-2127 <target>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 443/tcp open  https
+-- | http-vuln-cve2014-2127: 
+-- |   VULNERABLE:
+-- |   Cisco ASA SSL VPN Privilege Escalation Vulnerability
+-- |     State: VULNERABLE
+-- |     Risk factor: High  CVSSv2: 8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C)
+-- |     Description:
+-- |       Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099.
+-- |           
+-- |     References:
+-- |       http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
+-- |_      http://cvedetails.com/cve/2014-2127/
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
+
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+end
+
+action = function(host, port)
+  local vuln_table = {
+    title = "Cisco ASA SSL VPN Privilege Escalation Vulnerability",
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "High",
+    scores = {
+      CVSSv2 = "8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C)",
+    },
+    description = [[
+Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099.
+    ]],
+
+    references = {
+      'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa',
+      'http://cvedetails.com/cve/2014-2127/'
+    }
+  }
+
+  local vuln_versions = {
+  	['8'] = {
+  		['2'] = 5.48,
+      ['3'] = 2.40,
+  		['4'] = 7.9,
+      ['6'] = 1.13,
+  	},
+  	['9'] = {
+  		['0'] = 4.1,
+  		['1'] = 4.3,
+  	},
+	}
+
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	local ac = anyconnect.Cisco.AnyConnect:new(host, port)
+	local status = ac:connect()
+	if status then
+  	local ver = ac:get_version()
+		if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then
+			if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then
+				vuln_table.state = vulns.STATE.VULN
+			end
+		end
+  end
+  return report:make_output(vuln_table)
+end
--- a/scripts/http-vuln-cve2014-2128.nse
+++ b/scripts/http-vuln-cve2014-2128.nse
@@ -0,0 +1,82 @@
+local anyconnect = require('anyconnect')
+local stdnse = require('stdnse')
+local shortport = require('shortport')
+local vulns = require('vulns')
+local sslcert = require('sslcert')
+
+description = [[
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
+]]
+
+---
+-- @usage
+-- nmap -p 443 --script http-vuln-cve2014-2127 <target>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 443/tcp open  https
+-- | http-vuln-cve2014-2128: 
+-- |   VULNERABLE:
+-- |   Cisco ASA SSL VPN Authentication Bypass Vulnerability
+-- |     State: VULNERABLE
+-- |     Risk factor: Medium  CVSSv2: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)
+-- |     Description:
+-- |       The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
+-- |           
+-- |     References:
+-- |       http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
+-- |_      http://cvedetails.com/cve/2014-2128/
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
+
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+end
+
+action = function(host, port)
+  local vuln_table = {
+    title = "Cisco ASA SSL VPN Authentication Bypass Vulnerability",
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "Medium",
+    scores = {
+      CVSSv2 = "5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)",
+    },
+    description = [[
+The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
+    ]],
+
+    references = {
+      'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa',
+      'http://cvedetails.com/cve/2014-2128/'
+    }
+  }
+
+  local vuln_versions = {
+  	['8'] = {
+  		['2'] = 5.47,
+      ['3'] = 2.40,
+  		['4'] = 7.3,
+      ['6'] = 1.13,
+  		['7'] = 1.11,
+  	},
+  	['9'] = {
+  		['0'] = 3.8,
+  		['1'] = 3.2,
+  	},
+	}
+
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	local ac = anyconnect.Cisco.AnyConnect:new(host, port)
+	local status = ac:connect()
+	if status then
+  	local ver = ac:get_version()
+		if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then
+			if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then
+				vuln_table.state = vulns.STATE.VULN
+			end
+		end
+  end
+  return report:make_output(vuln_table)
+end
--- a/scripts/http-vuln-cve2014-2129.nse
+++ b/scripts/http-vuln-cve2014-2129.nse
@@ -0,0 +1,79 @@
+local anyconnect = require('anyconnect')
+local stdnse = require('stdnse')
+local shortport = require('shortport')
+local vulns = require('vulns')
+local sslcert = require('sslcert')
+
+description = [[
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129).
+]] 
+
+---
+-- @usage
+-- nmap -p 443 --script http-vuln-cve2014-2127 <target>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 443/tcp open  https
+-- | http-vuln-cve2014-2129: 
+-- |   VULNERABLE:
+-- |   Cisco ASA SIP Denial of Service Vulnerability
+-- |     State: VULNERABLE
+-- |     Risk factor: High  CVSSv2: 7.1 (HIGH) (AV:N/AC:M/AU:N/C:N/I:N/A:C)
+-- |     Description:
+-- |       The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.48), 8.4 before 8.4(6.5), 9.0 before 9.0(3.1), and 9.1 before 9.1(2.5) allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted SIP packets, aka Bug ID CSCuh44052.
+-- |           
+-- |     References:
+-- |       http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
+-- |_      http://cvedetails.com/cve/2014-2129/
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
+
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+end
+
+action = function(host, port)
+  local vuln_table = {
+    title = "Cisco ASA SIP Denial of Service Vulnerability",
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "High",
+    scores = {
+      CVSSv2 = "7.1 (HIGH) (AV:N/AC:M/AU:N/C:N/I:N/A:C)",
+    },
+    description = [[
+The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.48), 8.4 before 8.4(6.5), 9.0 before 9.0(3.1), and 9.1 before 9.1(2.5) allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted SIP packets, aka Bug ID CSCuh44052.
+    ]],
+
+    references = {
+      'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa',
+      'http://cvedetails.com/cve/2014-2129/'
+    }
+  }
+
+  local vuln_versions = {
+  	['8'] = {
+  		['2'] = 5.48,
+  		['4'] = 6.5,
+  	},
+  	['9'] = {
+  		['0'] = 3.1,
+  		['1'] = 2.5,
+  	},
+	}
+
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	local ac = anyconnect.Cisco.AnyConnect:new(host, port)
+	local status = ac:connect()
+	if status then
+  	local ver = ac:get_version()
+		if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then
+			if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then
+				vuln_table.state = vulns.STATE.VULN
+			end
+		end
+  end
+  return report:make_output(vuln_table)
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -144,6 +144,7 @@ Entry { filename = "http-barracuda-dir-traversal.nse", categories = { "auth", "e
 Entry { filename = "http-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "http-cakephp-version.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-chrono.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "http-cisco-anyconnect.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-coldfusion-subzero.nse", categories = { "exploit", } }
 Entry { filename = "http-comments-displayer.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-config-backup.nse", categories = { "auth", "intrusive", } }
@@ -226,6 +227,10 @@ Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vu
 Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-vuln-cve2013-0156.nse", categories = { "exploit", "vuln", } }
 Entry { filename = "http-vuln-cve2013-7091.nse", categories = { "exploit", "intrusive", "vuln", } }
+Entry { filename = "http-vuln-cve2014-2126.nse", categories = { "safe", "vuln", } }
+Entry { filename = "http-vuln-cve2014-2127.nse", categories = { "safe", "vuln", } }
+Entry { filename = "http-vuln-cve2014-2128.nse", categories = { "safe", "vuln", } }
+Entry { filename = "http-vuln-cve2014-2129.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } }