[NEWS] Cisco VPN Client Multiple Vulnerabilities - Second Set

From: support@securiteam.com
Date: 09/12/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 12 Sep 2002 10:05:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco VPN Client Multiple Vulnerabilities - Second Set
------------------------------------------------------------------------

SUMMARY

Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN)
Client software. These vulnerabilities are documented as Cisco Bug IDs
CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416, and CSCdy37058. There are
no workarounds available to mitigate the effects of these vulnerabilities.

DETAILS

Affected Products:
The VPN Client software program runs on the following platforms.

 * Microsoft Windows based PC.
 * Red Hat Version 6.2 Linux (Intel), or compatible distribution, using
kernel Version 2.2.12 or later. It does not support kernel Version 2.5.
 * Solaris UltraSPARC running a 32-bit or a 64-bit kernel OS Version 2.6
or later.
 * Mac OS X Version 10.1.0 or later.

DDTS:
CSCdt35749 - NETBIOS TCP packet vulnerability

Description Affected Releases:
 * earlier than 3.0.5
 * 2.x.x
 
DDTS:
CSCdt60391 - Group passwords visible using utility program

Description Affected Releases:
 * earlier than 3.5.1C
 * 3.1.x
 * 3.0.x
 * 2.x.x
 
DDTS:
CSCdw87717 - Concentrator certificate identity vulnerability

Description Affected Releases:
 * earlier than 3.5.1C
 * 3.1.x
 * 3.0.x
 * 2.x.x
 
DDTS:
CSCdx89416 - Random number generation improvement

Description Affected Releases:
 * earlier than 3.5.2B
 * 3.1.x
 * 3.0.x
 * 2.x.x
 
DDTS:
CSCdy37058 - TCP filter vulnerability

Description Affected Releases:
 * 3.6(Rel)
 * earlier than 3.5.4
 * 3.1.x
 * 3.0.x
 * 2.x.x
 
No other Cisco products are currently known to be affected by these
vulnerabilities.

Details:
The VPN Client software program on a remote workstation, communicating
with a Cisco VPN device on an enterprise network or with a service
provider, creates a secure connection over the Internet. Through this
connection you can access a private network as if you were an onsite user.

DDTS:
CSCdt35749 - NETBIOS TCP packet vulnerability

Description Details:
The VPN Client is vulnerable to NETBIOS TCP packets that have their source
and destination ports set to 137 (NETBIOS Name Service). Upon receiving
such a packet, the VPN Client crashes.

DDTS:
CSCdt60391 - Group passwords visible using utility program

Description Details:
There is a utility program under Windows that can decipher the group
password field, which is shown as a series of asterisks (***...) on the
authentication property page of the VPN Client.

DDTS:
CSCdw87717 - Concentrator certificate identity vulnerability

Description Details:
When a VPN Client connects to a VPN Concentrator using certificates, the
VPN Client does not have the ability to verify that specific certificate
DN fields match in the certificate received from the VPN Concentrator.

DDTS:
CSCdx89416 - Random number generation improvement

Description Details:
The random number generation process in the VPN Client software has been
significantly improved to increase the randomness of the generated
numbers.

DDTS:
CSCdy37058 - TCP filter vulnerability

Description Details:
It is possible to get the VPN Client, which is configured for all tunnel
mode (split tunneling disabled mode), to acknowledge a TCP packet via the
tunnel-assigned IP, when the packet is sent to it from outside the tunnel.
The 3.5.x releases are protected against this vulnerability if the
firewall is configured to be in "always on" mode. The 3.6(Rel) release is
vulnerable even when the firewall is in "always on" mode.

These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs
CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416 and CSCdy37058, and can be
viewed after 2002 September 6 at 1500 UTC. To access this tool, you must
be a registered user and you must be logged in.

Impact:
DDTS:
CSCdt35749 - NETBIOS TCP packet vulnerability

Description Impact:
This vulnerability can be exploited to initiate a denial-of-service
attack.

DDTS:
CSCdt60391 - Group passwords visible using utility program

Description Impact:
Unintended disclosure of the group password.

DDTS:
CSCdw87717 - Concentrator certificate identity vulnerability

Description Impact:
This vulnerability could be exploited to initiate a man-in-the-middle
attack.

DDTS:
CSCdx89416 - Random number generation improvement

Description Impact:
Improvement in the randomness of random numbers generated for use by the
VPN Client.

DDTS:
CSCdy37058 - TCP filter vulnerability

Description Impact:
This vulnerability could be exploited to leak information about the VPN
Client workstation.

Software Versions and Fixes:
DDTS:
CSCdt35749 - NETBIOS TCP packet vulnerability

Description Fixed Releases:
3.6(Rel) or later
3.5(Rel) or later
3.1(Rel) or later
3.0.5 or later
 
DDTS:
CSCdt60391 - Group passwords visible using utility program

Description Fixed Releases:
3.6(Rel) or later
3.5.1C or later
 
DDTS:
CSCdw87717 - Concentrator certificate identity vulnerability

Description Fixed Releases:
3.6(Rel) or later
3.5.1C or later
 
DDTS:
CSCdx89416 - Random number generation improvement

Description Fixed Releases:
3.6(Rel) or later
3.5.2B or later
 
DDTS:
CSCdy37058 - TCP filter vulnerability

Description Fixed Releases:
3.6.1 or later
3.5.4 or later
 
The procedure to upgrade on the various platforms to the fixed software
version is detailed in the documentation available at
<http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/>
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/.

Obtaining Fixed Software:
Cisco is offering free software upgrades to address these vulnerabilities
for all affected customers. Customers may only install and expect support
for the feature sets they have purchased.

Customers with service contracts should contact their regular update
channels to obtain the free software upgrade identified via this advisory.
For most customers with service contracts, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website at
<http://www.cisco.com/kobayashi/sw-center/vpn/client/>
http://www.cisco.com/kobayashi/sw-center/vpn/client/. To access the
software download URL, you must be a registered user and you must be
logged in.

Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
upgrade(s).

Customers who purchased directly from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale, should obtain fixed software by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain an upgrade to a later
version of the same release or as indicated by the applicable corrected
software version in Software Versions and Fixes.

Cisco TAC contacts are as follows:
 * +1 800 553 2447 (toll free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and
instructions and e-mail addresses for use in various languages.

Please have your product serial number available and give the URL of this
advisory as evidence of your entitlement to a free upgrade.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
DDTS:
CSCdt35749 - NETBIOS TCP packet vulnerability

Description Workaround:
There is no workaround.

DDTS:
CSCdt60391 - Group passwords visible using utility program

Description Workaround:
There is no workaround.

DDTS:
CSCdw87717 - Concentrator certificate identity vulnerability

Description Workaround:
There is no workaround.

DDTS:
CSCdx89416 - Random number generation improvement

Description Workaround:
Not applicable.

DDTS:
CSCdy37058 - TCP filter vulnerability

Description Workaround:
There is no workaround.

ADDITIONAL INFORMATION

The original advisory can be accessed by going to:
 <http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml>
http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages