The Cisco VPN (Virtual Private Network) Client establishes an encrypted
tunnel between a local system and a Cisco VPN Concentrator. The tunnel provides
confidentiality and integrity for the data in transit, allowing a user on the
local system to securely connect to a corporate network via a public, possibly
If an overly-long profile name is given as an argument to the
vpnclient command, a buffer overflow occurs that
overwrites return values on the system's stack. The contents of the overly-long
profile name could be crafted to execute arbitrary instructions. The buffer
overflow can only be exercised by executing the
vpnclient command directly on the local system.
By default, the vpnclient command is
installed on a UNIX-based system as a binary executable file with setuid
permissions. Since setuid files execute with the effective permissions of
"root", the administrative user of a UNIX-based system, the arbitrary
instructions will execute with administrative permissions.
In lieu of installing fixed software, the vulnerability can be
mitigated by removing the setuid permissions on the vpnclient binary executable
file as shown below. This cannot prevent
the buffer overflow from occurring, but limits the simple range of damage that
The problem has been resolved by adding better tests for buffer
overflows and by removing unnecessary setuid permissions on executable files in
the software package as provided. Note that the
cvpnd daemon, another one of the binary executable
files in the software package, retains setuid permissions to preserve its
ability to change the configuration of the network interface. This capability
is essential for establishing, managing, and removing a VPN connection.
This vulnerability is documented as CSCdx39290.
Details can be viewed on-line by registered users of Cisco's website.