February 27, 2007
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
The Cisco Secure Services Client (CSSC) is a software client that enables customers to deploy a single authentication framework using the 802.1x authentication standard across multiple device types to access both wired and wireless networks. This client is also a component of the Cisco Trust Agent (CTA) within the Cisco Network Admission Control (NAC) solution and NAC Framework solution.
These products are affected by multiple vulnerabilities including privilege escalations, a denial of service, information disclosure and password disclosure.
Four privilege escalation vulnerabilities exist in both products.
It is possible for a user to increase their privileges to the local system user via the help facility within the supplicant Graphical User Interface (GUI). This vulnerability is documented by Cisco Bug ID CSCsf14120 (registered customers only) .
Similarly, an unprivileged user is able to launch any program on a system to run with SYSTEM privileges from within the supplicant application. This vulnerability is documented by Cisco Bug ID CSCsf15836 (registered customers only) .
Insecure default Discretionary Access Control Lists (DACL) for the connection client GUI (ConnectionClient.exe) allows an unprivileged user (guest) to inject a thread under ConnectionClient.exe running with SYSTEM level privileges. This vulnerability is documented by Cisco Bug ID CSCsg20558 (registered customers only) .
Due to the method used in parsing commands, it is possible that an unprivileged user who is logged into the computer could launch a process as the local system user. This vulnerability is documented by Cisco Bug IDs CSCsh30297 (registered customers only) and CSCsh30624 (registered customers only) .
Denial of Service
If there is more than one profile (*.xml file) with the same timestamp in either of the following folders, a crash will result in a crash of the supplicant. This vulnerability is documented by Cisco Bug ID CSCse60387 (registered customers only) :
\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client\profiles\networks
\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client\profiles\policies
If Protected Extensible Authentication Protocol (PEAP)/Generic Token Card (GTC) Wi-Fi Protected Access (WPA) is the authentication mechanism employed and user authentication is configured on the client, then the user's password will be logged in clear text in the file:
\Program Files\Cisco Systems\Cisco Trust Agent 8021x Client\system\log\apidebug_current.txt
This vulnerability is documented by Cisco Bug ID CSCsg34423 (registered customers only) .
With authentication methods which convey a password in a protected tunnel, the user's password will be logged in clear text in the application log files described below (assuming default installation paths). This will occur with the following methods:
This advisory is posted here: Cisco Security Advisory: Multiple Vulnerabilities in 802.1X Supplicant.
Cisco has made free software available to address this vulnerability for affected customers.
Cisco Trust Agent (CTA) installed on end-hosts is a core component of the Cisco Network Admission Control (NAC) solution and the NAC Framework solution. CTA optionally includes CSSC to provide authentication as part of the NAC solution, using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.
Both products are affected by multiple vulnerabilities including privilege escalations, application crashes, and password disclosure.
Successful exploitation of any one of the four privilege escalation vulnerabilities may result in a user gaining privilege to run programs, read or modify files, or otherwise damage the integrity, confidentiality, and availability of the system.
Successful exploitation of the duplicate timestamps issue will cause the supplicant to crash, isolating the computer from any 802.1x enabled networks.
If the GTC authentication mechanism is employed, then a user who can access the apidebug_current.txt file may see passwords of other users in clear text, which will enable them to impersonate and authenticate as those users gaining the privilege and identity of the compromised user account.
In the case of the duplicate timestamps vulnerability, simply modifying one of the files with the duplicate timestamp is sufficient. A unique timestamp that does not match any of the other profiles in those directories is all that is required.
There are no workarounds available for the privilege escalation vulnerabilities. You will need to upgrade to one of the fixed releases mentioned in the Cisco Security Advisory: Multiple Vulnerabilities in 802.1X Supplicant PSIRT.
You can obtain the free corrected software at the Cisco Trust Agent Software Download (registered customers only) page.
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
Initial Public Release
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.