Cisco VPN Client Multiple Vulnerabilities - Second Set
12 Sep. 2002
Summary
Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) Client software. These vulnerabilities are documented as Cisco Bug IDs CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416, and CSCdy37058. There are no workarounds available to mitigate the effects of these vulnerabilities.
Affected Products:
The VPN Client software program runs on the following platforms.
* Microsoft Windows based PC.
* Red Hat Version 6.2 Linux (Intel), or compatible distribution, using kernel Version 2.2.12 or later. It does not support kernel Version 2.5.
* Solaris UltraSPARC running a 32-bit or a 64-bit kernel OS Version 2.6 or later.
* Mac OS X Version 10.1.0 or later.
No other Cisco products are currently known to be affected by these vulnerabilities.
Details:
The VPN Client software program on a remote workstation, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. Through this connection you can access a private network as if you were an onsite user.
Description Details:
The VPN Client is vulnerable to NETBIOS TCP packets that have their source and destination ports set to 137 (NETBIOS Name Service). Upon receiving such a packet, the VPN Client crashes.
DDTS:
CSCdt60391 - Group passwords visible using utility program
Description Details:
There is a utility program under Windows that can decipher the group password field, which is shown as a series of asterisks (***...) on the authentication property page of the VPN Client.
Description Details:
When a VPN Client connects to a VPN Concentrator using certificates, the VPN Client does not have the ability to verify that specific certificate DN fields match in the certificate received from the VPN Concentrator.
DDTS:
CSCdx89416 - Random number generation improvement
Description Details:
The random number generation process in the VPN Client software has been significantly improved to increase the randomness of the generated numbers.
DDTS:
CSCdy37058 - TCP filter vulnerability
Description Details:
It is possible to get the VPN Client, which is configured for all tunnel mode (split tunneling disabled mode), to acknowledge a TCP packet via the tunnel-assigned IP, when the packet is sent to it from outside the tunnel. The 3.5.x releases are protected against this vulnerability if the firewall is configured to be in "always on" mode. The 3.6(Rel) release is vulnerable even when the firewall is in "always on" mode.
These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs CSCdt35749, CSCdt60391, CSCdw87717, CSCdx89416 and CSCdy37058, and can be viewed after 2002 September 6 at 1500 UTC. To access this tool, you must be a registered user and you must be logged in.
Obtaining Fixed Software:
Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased.
Customers with service contracts should contact their regular update channels to obtain the free software upgrade identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/kobayashi/sw-center/vpn/client/. To access the software download URL, you must be a registered user and you must be logged in.
Customers whose Cisco products are provided or maintained through a prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).
Customers who purchased directly from Cisco but who do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale, should obtain fixed software by contacting the Cisco Technical Assistance Center (TAC) using the contact information listed below. In these cases, customers are entitled to obtain an upgrade to a later version of the same release or as indicated by the applicable corrected software version in Software Versions and Fixes.
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
