Summary

• Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) Client software. These vulnerabilities are documented as Cisco Bug IDs CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416 and CSCdy37058. There are no workarounds available to mitigate the effects of these vulnerabilities.

  This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020905-vpnclient-vulnerability.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  The VPN Client software program runs on the following platforms.

  • Microsoft Windows based PC.
    
  • Red Hat Version 6.2 Linux (Intel), or compatible distribution, using kernel Version 2.2.12 or later. It does not support kernel Version 2.5.
    
  • Solaris UltraSPARC running a 32-bit or a 64-bit kernel OS Version 2.6 or later.
    
  • Mac OS X Version 10.1.0 or later.
    

  DDTS Description	Affected Releases
  CSCdt35749 - NETBIOS TCP packet vulnerability	earlier than 3.0.5 2.x.x
  CSCdt60391 - Group passwords visible using utility program	earlier than 3.5.1C 3.1.x 3.0.x 2.x.x
  CSCdw87717 - Concentrator certificate identity vulnerability	earlier than 3.5.1C 3.1.x 3.0.x 2.x.x
  CSCdx89416 - Random number generation improvement	earlier than 3.5.2B 3.1.x 3.0.x 2.x.x
  CSCdy37058 - TCP filter vulnerability	3.6(Rel) earlier than 3.5.4 3.1.x 3.0.x 2.x.x

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• The VPN Client software program on a remote workstation, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. Through this connection you can access a private network as if you were an onsite user.

  DDTS Description	Details
  CSCdt35749 - NETBIOS TCP packet vulnerability	The VPN Client is vulnerable to NETBIOS TCP packets that have their source and destination ports set to 137 (NETBIOS Name Service). Upon receiving such a packet, the VPN Client crashes.
  CSCdt60391 - Group passwords visible using utility program	There is a utility program under Windows that can decipher the group password field, which is shown as a series of asterisks (***...) on the authentication property page of the VPN Client.
  CSCdw87717 - Concentrator certificate identity vulnerability	When a VPN Client connects to a VPN Concentrator using certificates, the VPN Client does not have the ability to verify that specific certificate DN fields match in the certificate received from the VPN Concentrator.
  CSCdx89416 - Random number generation improvement	The random number generation process in the VPN Client software has been significantly improved to increase the randomness of the generated numbers.
  CSCdy37058 - TCP filter vulnerability	It is possible to get the VPN Client, which is configured for all tunnel mode (split tunneling disabled mode), to acknowledge a TCP packet via the tunnel-assigned IP, when the packet is sent to it from outside the tunnel. The 3.5.x releases are protected against this vulnerability if the firewall is configured to be in "always on" mode. The 3.6(Rel) release is vulnerable even when the firewall is in "always on" mode.

  These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416 and CSCdy37058, and can be viewed after 2002 September 6 at 1500 UTC. To access this tool, you must be a registered user and you must be logged in.

Workarounds

• Workarounds are described in this table.

  DDTS Description	Workaround
  CSCdt35749 - NETBIOS TCP packet vulnerability	There is no workaround.
  CSCdt60391 - Group passwords visible using utility program	There is no workaround.
  CSCdw87717 - Concentrator certificate identity vulnerability	There is no workaround.
  CSCdx89416 - Random number generation improvement	Not applicable.
  CSCdy37058 - TCP filter vulnerability	There is no workaround.

  The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

  DDTS Description	Fixed Releases
  CSCdt35749 - NETBIOS TCP packet vulnerability	3.6(Rel) or later 3.5(Rel) or later 3.1(Rel) or later 3.0.5 or later
  CSCdt60391 - Group passwords visible using utility program	3.6(Rel) or later 3.5.1C or later
  CSCdw87717 - Concentrator certificate identity vulnerability	3.6(Rel) or later 3.5.1C or later
  CSCdx89416 - Random number generation improvement	3.6(Rel) or later 3.5.2B or later
  CSCdy37058 - TCP filter vulnerability	3.6.1 or later 3.5.4 or later

  The procedure to upgrade on the various platforms to the fixed software version is detailed in the documentation available at http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

  These vulnerabilities were reported to PSIRT by internal development testing and customers.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020905-vpnclient-vulnerability

Revision History

• Revision 1.0

  2002-September-05

  Initial public release.

  Show Less