-
Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) Client software. These vulnerabilities are documented as Cisco Bug IDs CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416 and CSCdy37058. There are no workarounds available to mitigate the effects of these vulnerabilities.
This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020905-vpnclient-vulnerability.
-
This section provides details on affected products.
Vulnerable Products
The VPN Client software program runs on the following platforms.
-
Microsoft Windows based PC.
-
Red Hat Version 6.2 Linux (Intel), or compatible distribution, using
kernel Version 2.2.12 or later. It does not support kernel Version
2.5.
-
Solaris UltraSPARC running a 32-bit or a 64-bit kernel OS Version 2.6
or later.
-
Mac OS X Version 10.1.0 or later.
DDTS Description
Affected Releases
CSCdt35749 - NETBIOS TCP packet vulnerability
-
earlier than 3.0.5
-
2.x.x
CSCdt60391 - Group passwords visible using utility program
-
earlier than 3.5.1C
-
3.1.x
-
3.0.x
-
2.x.x
CSCdw87717 - Concentrator certificate identity vulnerability
-
earlier than 3.5.1C
-
3.1.x
-
3.0.x
-
2.x.x
CSCdx89416 - Random number generation improvement
-
earlier than 3.5.2B
-
3.1.x
-
3.0.x
-
2.x.x
CSCdy37058 - TCP filter vulnerability
-
3.6(Rel)
-
earlier than 3.5.4
-
3.1.x
-
3.0.x
-
2.x.x
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Microsoft Windows based PC.
-
The VPN Client software program on a remote workstation, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. Through this connection you can access a private network as if you were an onsite user.
DDTS Description
Details
CSCdt35749 - NETBIOS TCP packet vulnerability
The VPN Client is vulnerable to NETBIOS TCP packets that have their source and destination ports set to 137 (NETBIOS Name Service). Upon receiving such a packet, the VPN Client crashes.
CSCdt60391 - Group passwords visible using utility program
There is a utility program under Windows that can decipher the group password field, which is shown as a series of asterisks (***...) on the authentication property page of the VPN Client.
CSCdw87717 - Concentrator certificate identity vulnerability
When a VPN Client connects to a VPN Concentrator using certificates, the VPN Client does not have the ability to verify that specific certificate DN fields match in the certificate received from the VPN Concentrator.
CSCdx89416 - Random number generation improvement
The random number generation process in the VPN Client software has been significantly improved to increase the randomness of the generated numbers.
CSCdy37058 - TCP filter vulnerability
It is possible to get the VPN Client, which is configured for all tunnel mode (split tunneling disabled mode), to acknowledge a TCP packet via the tunnel-assigned IP, when the packet is sent to it from outside the tunnel. The 3.5.x releases are protected against this vulnerability if the firewall is configured to be in "always on" mode. The 3.6(Rel) release is vulnerable even when the firewall is in "always on" mode.
These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416 and CSCdy37058, and can be viewed after 2002 September 6 at 1500 UTC. To access this tool, you must be a registered user and you must be logged in.
-
Workarounds are described in this table.
DDTS Description
Workaround
CSCdt35749 - NETBIOS TCP packet vulnerability
There is no workaround.
CSCdt60391 - Group passwords visible using utility program
There is no workaround.
CSCdw87717 - Concentrator certificate identity vulnerability
There is no workaround.
CSCdx89416 - Random number generation improvement
Not applicable.
CSCdy37058 - TCP filter vulnerability
There is no workaround.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
DDTS Description
Fixed Releases
CSCdt35749 - NETBIOS TCP packet vulnerability
-
3.6(Rel) or later
-
3.5(Rel) or later
-
3.1(Rel) or later
-
3.0.5 or later
CSCdt60391 - Group passwords visible using utility program
-
3.6(Rel) or later
-
3.5.1C or later
CSCdw87717 - Concentrator certificate identity vulnerability
-
3.6(Rel) or later
-
3.5.1C or later
CSCdx89416 - Random number generation improvement
-
3.6(Rel) or later
-
3.5.2B or later
CSCdy37058 - TCP filter vulnerability
-
3.6.1 or later
-
3.5.4 or later
The procedure to upgrade on the various platforms to the fixed software version is detailed in the documentation available at http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/.
-
3.6(Rel) or later
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to PSIRT by internal development testing and customers.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.