AV:L/AC:L/Au:NR/C:C/I:C/A:C/B:N/E:F/RL:O/RC:C
-
The Cisco Secure Services Client (CSSC) is a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. A lightweight version of the CSSC client is also a component of the Cisco Trust Agent (CTA) within the Cisco Network Admission Control (NAC) Framework solution.
These products are affected by multiple vulnerabilities including privilege escalations and information disclosure.
Cisco Security Agent (CSA) bundle versions 5.0 and 5.1 included Cisco Trust Agent software within the bundle. Customers who have deployed CTA as part of their CSA client package may be vulnerable if the version of CTA included is a version which is affected. This vulnerability does not impact the the CSA client or server software.
Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070221-supplicant.
-
This section provides details on affected products.
Vulnerable Products
Any version of the following software clients, prior to the versions which are listed in the Software Versions and Fixes section below, may be vulnerable.
-
Cisco Secure Services Client 4.x versions
-
Cisco Trust Agent 1.x and 2.x versions
-
Meetinghouse AEGIS SecureConnect Client (Windows platform versions)
To determine the version of the Cisco Trust Agent installed, the ctastat command found in the
\Program Files\Cisco Systems\CiscoTrustAgent
directory will provide output similar to:
Cisco Trust Agent Statistics Current Time: Tue Sep 27 19:11:18 2005 CTA Version: 2.0.0.26
To determine the version of the Cisco Secure Services Client installed, the software version information may be found in "About" dialog window which may be launched underneath the Help tab within the client.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco Secure Services Client 4.x versions
-
The Cisco Secure Services Client (CSSC) is a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. Previously this product was marketed as the Meetinghouse AEGIS SecureConnect client.
Cisco Trust Agent (CTA) installed on end-hosts is a core component of the Cisco Network Admission Control (NAC) Framework solution. CTA optionally includes a lightweight version of CSSC to provide authentication as part of the NAC Framework solution, using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.
Both products are affected by multiple vulnerabilities including privilege escalations and password disclosure.
Privilege Escalations
Four privilege escalation vulnerabilities exist in both products.
-
It is possible for an unprivileged user who is logged into the
computer to increase their privileges to the local system user via the help
facility within the supplicant Graphical User Interface (GUI). This
vulnerability is documented by Cisco Bug ID
CSCsf14120
(
registered customers only)
-
An unprivileged user who is logged into the computer is able to
launch any program on a system to run with SYSTEM privileges from within the
supplicant application. This vulnerability is documented by Cisco Bug ID
CSCsf15836
(
registered customers only)
-
Insecure default Discretionary Access Control Lists (DACL) for the
connection client GUI (ConnectionClient.exe) allows an unprivileged user to
inject a thread under ConnectionClient.exe running with SYSTEM level
privileges. This vulnerability is documented by Cisco Bug ID
CSCsg20558
(
registered customers only)
-
Due to the method used in parsing commands, it is possible that an
unprivileged user who is logged into the computer could launch a process as the
local system user. This vulnerability is documented by Cisco Bug IDs
CSCsh30297
(
registered customers only)
and
CSCsh30624
(
registered customers only)
.
Password Disclosure
With authentication methods which convey a password in a protected tunnel the users password will be logged in cleartext in the application log files described below (assuming default installation paths). This will occur with the following methods:
-
TTLS CHAP
-
TTLS MSCHAP
-
TTLS MSCHAPv2
-
TTLS PAP
-
MD5
-
GTC
-
LEAP
-
PEAP MSCHAPv2
-
PEAP GTC
-
FAST
CTA Wired Client:
-
\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired
Client\system\log\apiDebug_current.txt
-
\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired
Client\system\log\apiDebug_1.txt
-
\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired
Client\system\log\apiDebug_2.txt
Cisco Secure Services Client:
-
\Program Files\Cisco System\Cisco Secure Services Client\
system\log\apiDebug_current.txt
-
\Program Files\Cisco System\Cisco Secure Services Client\
system\log\apiDebug_1.txt
-
\Program Files\Cisco System\Cisco Secure Services Client\
system\log\apiDebug_2.txt
AEGIS Secure Connect:
-
\Program Files\Meetinghouse\AEGIS
SecureConnect\System\log\apiDebug_current.txt
-
\Program Files\Meetinghouse\AEGIS
SecureConnect\System\log\apiDebug_1.txt
-
\Program Files\Meetinghouse\AEGIS
SecureConnect\System\log\apiDebug_2.txt
This log file is rotated on a regular basis and will be recreated if the file has been deleted.
This vulnerability is documented by Cisco Bug ID CSCsg34423 ( registered customers only)
Vulnerability Scoring Details
Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS).
Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.
CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at https://sec.cloudapps.cisco.com/security/center/cvssCalculator.x.
CSCsf14120: Privilege escalation vulnerability via Help facility
Calculate the environmental score of CSCsf14120
CVSS Base Score - 5.6
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Local
High
Not Required
Complete
Complete
Complete
Normal
CVSS Temporal Score - 4.6
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
CSCsf15836: Privilege escalation vulnerability via web browser.
Calculate the environmental score of CSCsf15836
CVSS Base Score - 7
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Local
Low
Not Required
Complete
Complete
Complete
Normal
CVSS Temporal Score - 5.8
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
CSCsg20558: ConnectionClient.exe vulnerable to Local Privilege Escalation.
Calculate the environmental score of CSCsg20558
CVSS Base Score - 7
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Local
Low
Not Required
Complete
Complete
Complete
Normal
CVSS Temporal Score - 5.8
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
CSCsh30297: Security vulnerability while launching a process and CSCsh30624: Security vulnerability while launching a process.
Calculate the environmental score of CSCsh30297 and CSCsh30624
CVSS Base Score - 7
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Local
Low
Not Required
Complete
Complete
Complete
Normal
CVSS Temporal Score - 5.8
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
CSCsg34423: User's password written to log file.
Calculate the environmental score of CSCsg34423
CVSS Base Score - 1.6
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Impact Bias
Local
Low
Not Required
Partial
None
None
Normal
CVSS Temporal Score - 1.3
Exploitability
Remediation Level
Report Confidence
Functional
Official Fix
Confirmed
-
It is possible for an unprivileged user who is logged into the
computer to increase their privileges to the local system user via the help
facility within the supplicant Graphical User Interface (GUI). This
vulnerability is documented by Cisco Bug ID
CSCsf14120
(
registered customers only)
-
There are no workarounds available for the privilege escalation vulnerabilities.
The password disclosure vulnerability may be temporarily mitigated by deleting the current apidebug_current.txt file and previous versions of the file. This workaround is only temporary as those files will be automatically recreated by the application.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
The table below lists the first fixed releases for each specific vulnerability. Customers wishing to get all of the fixes may simply download CTA version 2.1.103.0 or CSSC version 4.0.51.5192.
Category
BugID
Product
First Fixed Releases
Privilege Escalations
CTA
CSSC
4.0.51.5192
CTA
CSSC
4.0.51.5192
CTA
CSSC
4.0.51.5192
CSCsh30297 and CSCsh30624
CTA
CSSC
4.0.51.5192
Password Disclosures
CTA
CSSC
4.0.51.5192
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Two of these vulnerabilities were reported to Cisco by a customer. The others were found internally.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2007-March-01
Updated Cisco Security Agent (CSA) bundle versions 5.0 and 5.1 information in the Summary and Affected Products sections.
Revision 1.0
2007-February-21
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.