[NEWS] Cisco VPN 5000 Client Multiple Vulnerabilities
From: support@securiteam.comDate: 09/18/02
- Previous message: support@securiteam.com: "[UNIX] OpenSSH 3.4p1 Allows Revealing of Password (Privsep Feature)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 18 Sep 2002 18:35:35 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cisco VPN 5000 Client Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN)
5000 Client software. These vulnerabilities are documented as Cisco bug ID
CSCdx17109 and CSCdy20065. There are some workarounds available to
mitigate the effects of these vulnerabilities.
DETAILS
Affected Products:
DDTS Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Affected Releases:
MAC OS VPN 5000 Client releases earlier than 5.2.2
DDTS Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow
vulnerability
Affected Releases:
* Linux VPN 5000 Client releases earlier than 5.2.7
* Solaris VPN 5000 Client releases earlier than 5.2.8
The Cisco VPN 3000 client and the Cisco VPN client are not affected.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details:
The VPN Client software program on a remote workstation, communicating
with a Cisco VPN device on an enterprise network or with a service
provider, creates a secure connection over the Internet. Through this
connection, you can access a private network as if you were an onsite
user.
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Details:
When saving the "Default Connection" in the resource fork of the
preferences file, the client saves the entire contents of the data
structure that represents the "Default Connection" which includes the most
recently used login password.
This password can be read in plain text using the ResEdit tool. This
occurs regardless of whether "SaveSecrets" is enabled or disabled and
regardless of whether you encrypt passwords or not.
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow
vulnerability
Details:
Two buffer overflow issues exist in the VPN 5000 Client for Linux and
Solaris. One in the close_tunnel binary and one in the open_tunnel binary.
To exploit the vulnerability one has to be logged in on the workstation.
The buffer overflows could be locally exploited to gain root privileges on
the workstation.
These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs
CSCdx17109 and CSCdy20065, and can be viewed after September 19, 2002 at
1500 UTC. To access this tool, you must be a registered user and you must
be logged in.
Impact:
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Impact:
Unintended exposure of password
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow
vulnerability
Impact:
This vulnerability could be locally exploited to elevate one's system
privileges.
Software Versions and Fixes:
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Fixed Releases:
MAC OS VPN 5000 Client release 5.2.2 or later
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow
vulnerability
Fixed Releases:
* Linux VPN 5000 Client release 5.2.7 or later
* Solaris VPN 5000 Client release 5.2.8 or later
The procedure to upgrade to the fixed software version is detailed at
<http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/client/>
http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/client/.
Obtaining Fixed Software:
Cisco is offering free software upgrades to address these vulnerabilities
for all affected customers. Customers may only install and expect support
for the feature sets they have purchased.
Customers with service contracts should contact their regular update
channels to obtain the free software upgrade identified via this advisory.
For most customers with service contracts, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website at
<http://www.cisco.com/public/sw-center/vpn/5000/>
http://www.cisco.com/public/sw-center/vpn/5000/. To access the software
download URL <http://www.cisco.com/public/sw-center/vpn/5000/>
http://www.cisco.com/public/sw-center/vpn/5000/, you must be a registered
user and you must be logged in.
Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
upgrade(s).
Customers who purchased directly from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third party vendors
but are unsuccessful at obtaining fixed software through their point of
sale, should obtain fixed software by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain an upgrade to a later
version of the same release or as indicated by the applicable corrected
software version in the Software Versions and Fixes section (noted above).
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and
instructions and e-mail addresses for use in various languages.
Please have your product serial number available and give the URL of this
advisory as evidence of your entitlement to a free upgrade.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds:
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Workaround / Mitigation Techniques:
* An attempt to log in using a wrong password after one has finished
using the connection causes the wrong password to be stored in the
resources fork.
* Turn the "Save Secrets" option off on the concentrator. This will stop
the VPN 5000 Client from saving the password.
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow
vulnerability
Workaround / Mitigation Techniques:
There is no workaround.
The Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] OpenSSH 3.4p1 Allows Revealing of Password (Privsep Feature)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
