Guest

Cisco Security

Cisco Security Advisory

Local Privilege Escalation Vulnerabilities in Cisco VPN Client

Medium
Advisory ID:
cisco-sa-20070815-vpnclient
First Published:
2007 August 15 16:00  GMT
Last Updated: 
2011 March 24 17:00  GMT
Version 1.3:
Final
Workarounds:
CVE-2007-4414
CVE-2007-4415
CWE-264
CVSS Score:
Base 6.8, Temporal 5.9Click Icon to Copy Verbose Score
AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVE-2007-4414
CVE-2007-4415
CWE-264

Workarounds

  • There are no workarounds for this vulnerability.

    2. Local Privilege Escalation Through Default cvpnd.exe File Permissions

    An effective workaround for this vulnerability is to revoke access rights for NT AUTHORITY\INTERACTIVE from cvpnd.exe. For example:

    C:\Program Files\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R "NT AUTHORITY\INTERACTIVE"

    Note: Windows Vista includes icacls, an updated partial replacement for cacls. More information about icacls can be found at http://www.microsoft.com/technet/technetmag/issues/2007/07/SecurityWatch/default.aspx leavingcisco.com.

Fixed Software

  • When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

    Each row of the Cisco VPN Client software table (below) describes one of the vulnerabilities described in this document. For each vulnerability, the earliest possible release that contains the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).

    Vulnerability

    First Fixed Release

    1. Local Privilege Escalation Through Microsoft Windows Dial-Up Networking Interface (CSCse89550 ( registered customers only) )

    4.8.02.0010 (MSI and IS packages)

    2. Local Privilege Escalation Through Default cvpnd.exe File Permissions (CSCsj00785 ( registered customers only) and CSCtn50645 ( registered customers only) )

    32-bit version: 5.0.01.0600 (MSI package only)

    64-bit version: 5.0.07.0440 (MSI package only)

    Note: The VPN Client for Windows software is distributed as both a Microsoft Installer (MSI) package and an InstallShield (IS) package. Only the MSI package for version 5.0.01.0600 of the VPN Client contains the fix for the "Local Privilege Escalation Through Default cvpnd.exe File Permissions" vulnerability. The IS package does not contain the fix for that vulnerability and has been removed from http://www.cisco.com. Customers who have downloaded and installed the IS package for version 5.0.01.0600 of the VPN Client will need to apply the workaround listed in the Workarounds section of this advisory or migrate to the MSI package to address these vulnerabilities.

    Note: Customers who want to deploy a software version containing fixes for the two vulnerabilities disclosed in this advisory should deploy the MSI package for v5.0.01.0600 of the VPN Client.

    The Cisco VPN Client for Windows is available for download from the following location on cisco.com:

    http://www.cisco.com/pcgi-bin/tablebuild.pl/windows?psrtdcat20e2

    Please note that security fixes are not applied to older versions of the Cisco VPN Client for Windows software. Customers looking for a version containing fixes for all published vulnerabilities affecting the Cisco VPN Client for Windows should download and install the latest MSI package available from the previously listed URL.

    Note: It has been reported that upgrades to version 5.0.01.0600 of the Cisco VPN Client in non-English versions of Microsoft Windows may fail. This issue is being tracked by Cisco Bug ID CSCsj89801, and Cisco has made available a workaround in the form of an MSI transform, which is available from http://www.cisco.com/pcgi-bin/tablebuild.pl/windows?psrtdcat20e2 ( registered customers only) (file name vpnclient-international-transform-5.0.01.0600.zip). Future versions of the Cisco VPN Client for Windows will not require this workaround.

Exploitation and Public Announcements

  • The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

    The "Local Privilege Escalation Through Microsoft Windows Dial-Up Networking Interface" vulnerability (CSCse89550) was reported to Cisco by a customer.

    The "Local Privilege Escalation Through Default cvpnd.exe File Permissions" vulnerability (CSCsj00785) was reported to Cisco by Dominic Beecher of Next Generation Security Software Ltd. Dominic also provided a viable workaround for this vulnerability. Cisco would like to thank Dominic Beecher and Next Generation Security Software Ltd. for reporting this vulnerability and for working with us towards a coordinated disclosure of the vulnerability.

    The regression in the fix for the" Local Privilege Escalation Through Default cvpnd.exe File Permissions" vulnerability (CSCtn50645) was found and reported to Cisco by Gavin Jones of NGS Secure. Cisco would like to thank Gavin Jones and NGS Secure for reporting this vulnerability and for working with us towards a coordinated disclosure of the vulnerability.