|
Brought to you by:
Suppliers of:
|
|
|
| |
| Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) 5000 Client software. These vulnerabilities are documented as Cisco bug ID CSCdx17109 and CSCdy20065. There are some workarounds available to mitigate the effects of these vulnerabilities. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
|
| |
Affected Products:
DDTS Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Affected Releases:
MAC OS VPN 5000 Client releases earlier than 5.2.2
DDTS Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow vulnerability
Affected Releases:
* Linux VPN 5000 Client releases earlier than 5.2.7
* Solaris VPN 5000 Client releases earlier than 5.2.8
The Cisco VPN 3000 client and the Cisco VPN client are not affected.
No other Cisco products are currently known to be affected by these vulnerabilities.
Details:
The VPN Client software program on a remote workstation, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. Through this connection, you can access a private network as if you were an onsite user.
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Details:
When saving the "Default Connection" in the resource fork of the preferences file, the client saves the entire contents of the data structure that represents the "Default Connection" which includes the most recently used login password.
This password can be read in plain text using the ResEdit tool. This occurs regardless of whether "SaveSecrets" is enabled or disabled and regardless of whether you encrypt passwords or not.
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow vulnerability
Details:
Two buffer overflow issues exist in the VPN 5000 Client for Linux and Solaris. One in the close_tunnel binary and one in the open_tunnel binary. To exploit the vulnerability one has to be logged in on the workstation. The buffer overflows could be locally exploited to gain root privileges on the workstation.
These vulnerabilities are documented in the Cisco Bug Toolkit as Bug IDs CSCdx17109 and CSCdy20065, and can be viewed after September 19, 2002 at 1500 UTC. To access this tool, you must be a registered user and you must be logged in.
Impact:
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Impact:
Unintended exposure of password
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow vulnerability
Impact:
This vulnerability could be locally exploited to elevate one's system privileges.
Software Versions and Fixes:
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Fixed Releases:
MAC OS VPN 5000 Client release 5.2.2 or later
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow vulnerability
Fixed Releases:
* Linux VPN 5000 Client release 5.2.7 or later
* Solaris VPN 5000 Client release 5.2.8 or later
The procedure to upgrade to the fixed software version is detailed at http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/client/.
Obtaining Fixed Software:
Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased.
Customers with service contracts should contact their regular update channels to obtain the free software upgrade identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/public/sw-center/vpn/5000/. To access the software download URL http://www.cisco.com/public/sw-center/vpn/5000/, you must be a registered user and you must be logged in.
Customers whose Cisco products are provided or maintained through a prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).
Customers who purchased directly from Cisco but who do not hold a Cisco service contract, and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale, should obtain fixed software by contacting the Cisco Technical Assistance Center (TAC) using the contact information listed below. In these cases, customers are entitled to obtain an upgrade to a later version of the same release or as indicated by the applicable corrected software version in the Software Versions and Fixes section (noted above).
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.
Please have your product serial number available and give the URL of this advisory as evidence of your entitlement to a free upgrade.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds:
DDTS - Description:
CSCdx17109 - MAC OS VPN 5000 Client password vulnerability
Workaround / Mitigation Techniques:
* An attempt to log in using a wrong password after one has finished using the connection causes the wrong password to be stored in the resources fork.
* Turn the "Save Secrets" option off on the concentrator. This will stop the VPN 5000 Client from saving the password.
DDTS - Description:
CSCdy20065 - Linux and Solaris VPN 5000 Client buffer overflow vulnerability
Workaround / Mitigation Techniques:
There is no workaround.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
|
|
|
|
|
