Title

Multiple Vulnerabilities in Cisco VPN Client (Cat I impact)

Discussion

Cisco has released a security advisory addressing two vulnerabilities in the Cisco VPN Client for Microsoft Windows that may allow unprivileged users to elevate their privileges to those of the LocalSystem account. Virtual Private Networks allows users to establish IPSec VPN tunnels to Cisco VPN-capable devices. If successfully exploited, these vulnerabilities would allow an attacker to elevate the privileges and compromise an affected system. At this time, there are known exploits associated with these vulnerabilities; JTF-GNO is aware of DoD related incidents. Note: Given the gravity of this vulnerability, the First Report Date and POA Mitigation Date for this notice have been shortened accordingly. Cisco IOS Software Start Before Logon Vulnerability (CVE-2007-4414): Unprivileged users can elevate their privileges to those of the LocalSystem account by enabling the Start Before Logon (SBL) feature and configuring a VPN profile to use the Microsoft Dial-Up Networking interface. When these two settings are enabled and configured concurrently, the Cisco VPN Client Graphical User Interface (GUI) will be available in the Windows logon screen. It should be noted that configuring these two settings does not require the user to have administrative privileges. From the Windows logon screen, users can leverage a VPN profile that is configured to utilize Microsoft dial-up networking to launch a dial-up networking dialog box. This action may allow users to elevate their privileges. This vulnerability has been addressed by requiring that the configuration option "Allow launching of third party applications before logon," which is located in the "Windows Logon Properties" dialog box (available under Options-> Windows Logon Properties...), be enabled to use, from the Windows logon screen, a VPN profile that is configured for Microsoft Dial-Up Networking. Note: Enabling "Allow launching of third party applications before logon" can itself raise some security issues; by design, only users with administrative rights can enable this option. This vulnerability is documented in Cisco Bug ID CSCse89550 ( registered customers only) . Cisco IOS Software cvpnd.exe Vulnerability (CVE-2007-4415): Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Cisco VPN Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to cvpnd.exe (the executable for the Cisco VPN Service) allow unprivileged, interactive users to replace cvpnd.exe with any file. Because the Cisco VPN Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges. This vulnerability is documented in Cisco Bug ID CSCsj00785 ( registered customers only).

Check Content

Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information. Vulnerable Applications/Systems: Cisco VPN Client 4.X prior to 4.8.02.0010 Cisco VPN Client 5.X prior to 5.0.01.0600 View Help, About from the application’s menu to determine version.

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-21883

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.