Cisco Security Advisory
Local Privilege Escalation Vulnerabilities in Cisco VPN Client
There are no workarounds for this vulnerability.
2. Local Privilege Escalation Through Default cvpnd.exe File Permissions
An effective workaround for this vulnerability is to revoke access rights for NT AUTHORITY\INTERACTIVE from cvpnd.exe. For example:
C:\Program Files\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R "NT AUTHORITY\INTERACTIVE"
Note: Windows Vista includes icacls, an updated partial replacement for cacls. More information about icacls can be found at http://www.microsoft.com/technet/technetmag/issues/2007/07/SecurityWatch/default.aspx .
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco VPN Client software table (below) describes one of the vulnerabilities described in this document. For each vulnerability, the earliest possible release that contains the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
First Fixed Release
4.8.02.0010 (MSI and IS packages)
32-bit version: 5.0.01.0600 (MSI package only)
64-bit version: 5.0.07.0440 (MSI package only)
Note: The VPN Client for Windows software is distributed as both a Microsoft Installer (MSI) package and an InstallShield (IS) package. Only the MSI package for version 5.0.01.0600 of the VPN Client contains the fix for the "Local Privilege Escalation Through Default cvpnd.exe File Permissions" vulnerability. The IS package does not contain the fix for that vulnerability and has been removed from http://www.cisco.com. Customers who have downloaded and installed the IS package for version 5.0.01.0600 of the VPN Client will need to apply the workaround listed in the Workarounds section of this advisory or migrate to the MSI package to address these vulnerabilities.
Note: Customers who want to deploy a software version containing fixes for the two vulnerabilities disclosed in this advisory should deploy the MSI package for v5.0.01.0600 of the VPN Client.
The Cisco VPN Client for Windows is available for download from the following location on cisco.com:
Please note that security fixes are not applied to older versions of the Cisco VPN Client for Windows software. Customers looking for a version containing fixes for all published vulnerabilities affecting the Cisco VPN Client for Windows should download and install the latest MSI package available from the previously listed URL.
Note: It has been reported that upgrades to version 5.0.01.0600 of the Cisco VPN Client in non-English versions of Microsoft Windows may fail. This issue is being tracked by Cisco Bug ID CSCsj89801, and Cisco has made available a workaround in the form of an MSI transform, which is available from http://www.cisco.com/pcgi-bin/tablebuild.pl/windows?psrtdcat20e2 ( registered customers only) (file name vpnclient-international-transform-5.0.01.0600.zip). Future versions of the Cisco VPN Client for Windows will not require this workaround.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
The "Local Privilege Escalation Through Microsoft Windows Dial-Up Networking Interface" vulnerability (CSCse89550) was reported to Cisco by a customer.
The "Local Privilege Escalation Through Default cvpnd.exe File Permissions" vulnerability (CSCsj00785) was reported to Cisco by Dominic Beecher of Next Generation Security Software Ltd. Dominic also provided a viable workaround for this vulnerability. Cisco would like to thank Dominic Beecher and Next Generation Security Software Ltd. for reporting this vulnerability and for working with us towards a coordinated disclosure of the vulnerability.
The regression in the fix for the" Local Privilege Escalation Through Default cvpnd.exe File Permissions" vulnerability (CSCtn50645) was found and reported to Cisco by Gavin Jones of NGS Secure. Cisco would like to thank Gavin Jones and NGS Secure for reporting this vulnerability and for working with us towards a coordinated disclosure of the vulnerability.