Guest

Cisco Trust Agent

Field Notice: FN - 62705 - CTA Software Versions 1.0.55, 2.0.0.30 and 2.0.1.14 Have Been Removed from CCO Due to PSIRT - Immediate Software Upgrade is Recommended


February 27, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

CTA NAC

Problem Description

The Cisco Secure Services Client (CSSC) is a software client that enables customers to deploy a single authentication framework using the 802.1x authentication standard across multiple device types to access both wired and wireless networks. This client is also a component of the Cisco Trust Agent (CTA) within the Cisco Network Admission Control (NAC) solution and NAC Framework solution.

These products are affected by multiple vulnerabilities including privilege escalations, a denial of service, information disclosure and password disclosure.

Privilege Escalations

Four privilege escalation vulnerabilities exist in both products.

  1. It is possible for a user to increase their privileges to the local system user via the help facility within the supplicant Graphical User Interface (GUI). This vulnerability is documented by Cisco Bug ID CSCsf14120 (registered customers only) .

  2. Similarly, an unprivileged user is able to launch any program on a system to run with SYSTEM privileges from within the supplicant application. This vulnerability is documented by Cisco Bug ID CSCsf15836 (registered customers only) .

  3. Insecure default Discretionary Access Control Lists (DACL) for the connection client GUI (ConnectionClient.exe) allows an unprivileged user (guest) to inject a thread under ConnectionClient.exe running with SYSTEM level privileges. This vulnerability is documented by Cisco Bug ID CSCsg20558 (registered customers only) .

  4. Due to the method used in parsing commands, it is possible that an unprivileged user who is logged into the computer could launch a process as the local system user. This vulnerability is documented by Cisco Bug IDs CSCsh30297 (registered customers only) and CSCsh30624 (registered customers only) .

Denial of Service

If there is more than one profile (*.xml file) with the same timestamp in either of the following folders, a crash will result in a crash of the supplicant. This vulnerability is documented by Cisco Bug ID CSCse60387 (registered customers only) :

\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client\profiles\networks

\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client\profiles\policies

Information Disclosure

If Protected Extensible Authentication Protocol (PEAP)/Generic Token Card (GTC) Wi-Fi Protected Access (WPA) is the authentication mechanism employed and user authentication is configured on the client, then the user's password will be logged in clear text in the file:

\Program Files\Cisco Systems\Cisco Trust Agent 8021x Client\system\log\apidebug_current.txt

This vulnerability is documented by Cisco Bug ID CSCsg34423 (registered customers only) .

Password Disclosure

With authentication methods which convey a password in a protected tunnel, the user's password will be logged in clear text in the application log files described below (assuming default installation paths). This will occur with the following methods:

TTLS CHAP

TTLS MSCHAP

TTLS MSCHAPv2

TTLS PAP

MD5

GTC

LEAP

PEAP MSCHAPv2

PEAP GTC

FAST

This advisory is posted here: Cisco Security Advisory: Multiple Vulnerabilities in 802.1X Supplicant.

Cisco has made free software available to address this vulnerability for affected customers.

Background

Cisco Trust Agent (CTA) installed on end-hosts is a core component of the Cisco Network Admission Control (NAC) solution and the NAC Framework solution. CTA optionally includes CSSC to provide authentication as part of the NAC solution, using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.

Both products are affected by multiple vulnerabilities including privilege escalations, application crashes, and password disclosure.

Problem Symptoms

Successful exploitation of any one of the four privilege escalation vulnerabilities may result in a user gaining privilege to run programs, read or modify files, or otherwise damage the integrity, confidentiality, and availability of the system.

Successful exploitation of the duplicate timestamps issue will cause the supplicant to crash, isolating the computer from any 802.1x enabled networks.

If the GTC authentication mechanism is employed, then a user who can access the apidebug_current.txt file may see passwords of other users in clear text, which will enable them to impersonate and authenticate as those users gaining the privilege and identity of the compromised user account.

Workaround/Solution

In the case of the duplicate timestamps vulnerability, simply modifying one of the files with the duplicate timestamp is sufficient. A unique timestamp that does not match any of the other profiles in those directories is all that is required.

There are no workarounds available for the privilege escalation vulnerabilities. You will need to upgrade to one of the fixed releases mentioned in the Cisco Security Advisory: Multiple Vulnerabilities in 802.1X Supplicant PSIRT.

You can obtain the free corrected software at the Cisco Trust Agent Software Download (registered customers only) page.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsf14120 (registered customers only)

Privilege escalation vulnerability via Help / Settings

CSCsf15836 (registered customers only)

Privilege escalation vulnerability via web browser

CSCsg20558 (registered customers only)

CTA Supplicant (ConnectionClient.exe) vuln to Local Privilege Escalation

CSCse60387 (registered customers only)

Multiple profiles with same time stamp crashes supplicant

CSCsh30624 (registered customers only)

Security vulnerability while launching a process

CSCsh30297 (registered customers only)

Security vulnerability while launching a process

CSCsg34423 (registered customers only)

User's pwd written to log file when GTC is configured

Revision History

Revision

Date

Comment

1.0

27-FEB-2007

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.