Cisco Security Advisory

Contents

Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of This Notice: Final
Distribution
Revision History
Cisco Security Procedures

This section provides details on affected products.

Vulnerable Products

Products Confirmed Not Vulnerable

The Cisco Secure Services Client (CSSC) is a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. Previously this product was marketed as the Meetinghouse AEGIS SecureConnect client.

Cisco Trust Agent (CTA) installed on end-hosts is a core component of the Cisco Network Admission Control (NAC) Framework solution. CTA optionally includes a lightweight version of CSSC to provide authentication as part of the NAC Framework solution, using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.

Both products are affected by multiple vulnerabilities including privilege escalations and password disclosure.

Privilege Escalations

Four privilege escalation vulnerabilities exist in both products.

• It is possible for an unprivileged user who is logged into the computer to increase their privileges to the local system user via the help facility within the supplicant Graphical User Interface (GUI). This vulnerability is documented by Cisco Bug ID CSCsf14120 ( registered customers only)
  
• An unprivileged user who is logged into the computer is able to launch any program on a system to run with SYSTEM privileges from within the supplicant application. This vulnerability is documented by Cisco Bug ID CSCsf15836 ( registered customers only)
  
• Insecure default Discretionary Access Control Lists (DACL) for the connection client GUI (ConnectionClient.exe) allows an unprivileged user to inject a thread under ConnectionClient.exe running with SYSTEM level privileges. This vulnerability is documented by Cisco Bug ID CSCsg20558 ( registered customers only)
  
• Due to the method used in parsing commands, it is possible that an unprivileged user who is logged into the computer could launch a process as the local system user. This vulnerability is documented by Cisco Bug IDs CSCsh30297 ( registered customers only) and CSCsh30624 ( registered customers only) .
  

Password Disclosure

With authentication methods which convey a password in a protected tunnel the users password will be logged in cleartext in the application log files described below (assuming default installation paths). This will occur with the following methods:

• TTLS CHAP
  
• TTLS MSCHAP
  
• TTLS MSCHAPv2
  
• TTLS PAP
  
• MD5
  
• GTC
  
• LEAP
  
• PEAP MSCHAPv2
  
• PEAP GTC
  
• FAST
  

CTA Wired Client:

• \Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client\system\log\apiDebug_current.txt
  
• \Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client\system\log\apiDebug_1.txt
  
• \Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client\system\log\apiDebug_2.txt
  

Cisco Secure Services Client:

• \Program Files\Cisco System\Cisco Secure Services Client\ system\log\apiDebug_current.txt
  
• \Program Files\Cisco System\Cisco Secure Services Client\ system\log\apiDebug_1.txt
  
• \Program Files\Cisco System\Cisco Secure Services Client\ system\log\apiDebug_2.txt
  

AEGIS Secure Connect:

• \Program Files\Meetinghouse\AEGIS SecureConnect\System\log\apiDebug_current.txt
  
• \Program Files\Meetinghouse\AEGIS SecureConnect\System\log\apiDebug_1.txt
  
• \Program Files\Meetinghouse\AEGIS SecureConnect\System\log\apiDebug_2.txt
  

This log file is rotated on a regular basis and will be recreated if the file has been deleted.

This vulnerability is documented by Cisco Bug ID CSCsg34423 ( registered customers only)

Vulnerability Scoring Details

Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS).

Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.

CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss .

Successful exploitation of any one of the four privilege escalation vulnerabilities may result in a user gaining privilege to run programs, read or modify files, or otherwise damage the integrity, confidentiality, and availability of the system.

If any of the authentication methods described earlier is employed, then a user who can access the apiDebug_current.txt file or previous copies of this file created via normal log rotation may see passwords of other users in cleartext, enabling them to impersonate and authenticate as those users gaining the privilege and identity of the compromised user account.

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

The table below lists the first fixed releases for each specific vulnerability. Customers wishing to get all of the fixes may simply download CTA version 2.1.103.0 or CSSC version 4.0.51.5192.

There are no workarounds available for the privilege escalation vulnerabilities.

The password disclosure vulnerability may be temporarily mitigated by deleting the current apidebug_current.txt file and previous versions of the file. This workaround is only temporary as those files will be automatically recreated by the application.

Cisco will make free software available to address these vulnerabilities for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Customers with Service Contracts

Customers Using Third-Party Support Organizations

Customers Without Service Contracts

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

Two of these vulnerabilities were reported to Cisco by a customer. The others were found internally.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

This advisory is posted on Cisco's worldwide website at :

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070221-supplicant

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

• cust-security-announce@cisco.com
  
• first-teams@first.org
  
• bugtraq@securityfocus.com
  
• vulnwatch@vulnwatch.org
  
• cisco@spot.colorado.edu
  
• cisco-nsp@puck.nether.net
  
• full-disclosure@lists.grok.org.uk
  
• comp.dcom.sys.cisco@newsgate.cisco.com
  

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.