Guest

Cisco VPN Client

Field Notice: FN - 62884 - Cisco VPN Client Version 5.0.01.0600 Non MSI Installer Pulled From CCO


Revised August 28, 2007

August 21, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

Products Affected

CISCO VPN CLIENT

All Versions except 5.01 .msi installer

Problem Description

Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows that may allow unprivileged users on machines with the client installed to elevate their privileges to LocalSystem privileges.

Background

A Cisco Security Advisory, cisco-sa-20070815-vpnclient, was published on August 15, 2007 to disclose two vulnerabilities that may allow unprivileged users to elevate their privileges to those of the LocalSystem account.

Note: The alias, psirt-vpnclient@cisco.com, can be used for escalation regarding these two vulnerabilities.

Problem Symptom

The first vulnerability allows unprivileged users to escalate their privileges by using the dial-up networking and Start Before Logon features of the VPN Client. This vulnerability is documented in Cisco Bug ID CSCse89550 (registered customers only) .

The second vulnerability allows unprivileged users to escalate their privileges by replacing the executable file for the Cisco VPN Service with arbitrary executables. This is possible because the default file permissions of cvpnd.exe, the executable for the Cisco VPN Service, allows unprivileged, interactive users to replace it with any file. Since the Cisco VPN Service is a Windows service that is run with LocalSystem privilege, it allows unprivileged users to easily elevate their privileges. This vulnerability is documented in Cisco Bug ID CSCsj00785 (registered customers only) .

Note: There are no Cisco IPS signatures for these issues since these vulnerabilities are local. Furthermore, there will be no Applied Intelligence Response companion document.

Workaround/Solution

Cisco has removed vpnclient-win-is-5.0.01.0600-k9.exe version of code from CCO. The Product Security Incident Response Team (PSIRT) explain that all previous versions of the VPN client prior to the 5.01 MSI will have this vulnerability. These vulnerabilities include:

  • All versions of 3.X.X

  • All versions of 4.X.X

  • All versions of 5.X.X

Note: This only applies for the Windows versions on the VPN Client.

Note: Cisco will no longer release any vpnclient-win-is-X.X.XX.XXXX-k9.exe versions in the future.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCse89550 (registered customers only)

VPN client privilege escalation via MS dial-up networking interface.

CSCsj00785 (registered customers only)

Default cvpnd.exe file permissions allow local privilege escalation.

Revision History

Revision

Date

Comment

1.1

28-AUG-2007

Entire content was changed including the title.

1.0

21-AUG-2007

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.