HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-61
Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities

Original issue date: November 21, 2007

Systems Affected

  • Cisco VPN Client for Windows versions 2.x
  • Cisco VPN Client for Windows versions 3.x
  • Cisco VPN Client for Windows versions 4.0.x
  • Cisco VPN Client for Windows versions 4.6.x
  • Cisco VPN Client for Windows versions 4.7.x (with the exception of version 4.7.00.0533)
  • Cisco VPN Client for Windows versions 4.8.00.x

Overview

Two Vulnerabilities have been identified in Cisco VPN Client for Windows, which could be exploited by malicious users to obtain elevated privileges. This flaw is due to an error in the VPN client dialer (GUI) that fails to properly drop privileges before launching certain dialog boxes, which could be exploited by local attackers to execute arbitrary commands with SYSTEM privileges.

Description

Cisco VPN Client allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. Following vulnerabilities have been reported in Cisco VPN Client, for Windows Graphical User Interface (GUI), also known as the "VPN client dialer":

1. Local Privilege Escalation Through Microsoft Windows Dial-Up Networking Interface (CVE-2007-4414)

Unprivileged users can elevate their privileges to those of the Local-System account by enabling the Start Before Logon (SBL) feature and configuring a VPN profile to use the Microsoft Dial-Up Networking interface. When these two settings are enabled and configured concurrently, the Cisco VPN Client Graphical User Interface (GUI) will be available in the Windows logon screen. These two settings do not require the user to have administrative privileges to do the configuration. From the Windows logon screen, users can leverage a VPN profile that is configured to utilize Microsoft dial-up networking to launch a dial-up networking dialog box. This action may allow users to elevate their privileges.

Workarounds: There is no workaround for this vulnerability.

2. Local Privilege Escalation Through Default cvpnd.exe File Permissions (CVE-2007-4415)

Unprivileged users can execute arbitrary programs that run with the privileges of the Local-System account by replacing the Cisco VPN Service executable with arbitrary executables. This vulnerability exists because the default permissions assigned during installation to cvpnd.exe (the executable for the Cisco VPN Service) allow unprivileged, interactive users to replace cvpnd.exe with any file.

Workarounds: An effective workaround for this vulnerability is to revoke access rights for NT AUTHORITY\INTERACTIVE from cvpnd.exe

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml

References

Securiteam
http://www.securiteam.com/windowsntfocus/5BP1100MAY.html

Secunia
http://secunia.com/advisories/26459/

Frsirt
http://www.frsirt.com/english/advisories/2006/1964

Securityfocus
http://www.securityfocus.com/bid/25332

CVE-Name
CVE-2007-4414
CVE-2007-4415

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003