__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Cisco Buffer Overflow in UNIX VPN Client
[Cisco Security Advisory: CSCdx39290]
June 19, 2002 18:00 GMT Number M-092
______________________________________________________________________________
PROBLEM: Cisco has identified a buffer overflow in the Cisco VPN Clients
for Linux, Solaris, and Mac OS X platforms. By default, the
vpnclient command is installed on a UNIX-based system as a
binary executable file with setuid permissions.
PLATFORM: Versions 3.5.1 and earlier of the Cisco VPN Clients for Linux,
Solaris, and Mac OS X platforms.
DAMAGE: If exploited, a local user could gain root access.
SOLUTION: Remove the setuid permissions on the vpnclient binary
executable file as outlined in this advisory or upgrade to
version 3.5.2.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. The buffer overflow can only be exercised
ASSESSMENT: by executing the vpnclient command directly on the local system.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-092.shtml
ORIGINAL BULLETIN:
http://www.cisco.com/warp/public/707/
cisco-unix-vpnclient-buffer-overflow-pub.shtml
______________________________________________________________________________
[***** Start Cisco Security Advisory: CSCdx39290 *****]
Cisco Security Advisory: Buffer Overflow in UNIX VPN Client
Revision 1.0
For Public Release 2002 June 19 at 14:00 GMT
--------------------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice
Distribution
Revision History
Cisco Product Security Procedures
--------------------------------------------------------------------------------
Summary
A buffer overflow in the Cisco VPN Clients for Linux, Solaris, and Mac OS X platforms
can be exploited locally to gain administrative privileges on the client system. The
vulnerability can be mitigated by removing the "setuid" permissions on the vpnclient
binary executable file. The Cisco VPN Clients for Windows platforms are not affected.
The vulnerability has been repaired in version 3.5.2. Cisco is making fixed software
available free to affected customers. This issue is documented as CSCdx39290. Cisco is
not aware of any public discussion or active exploitation of this vulnerability.
The official current copy of this security advisory is available at
http://www.cisco.com/warp/public/707/cisco-unix-vpnclient-buffer-overflow-pub.shtml.
Affected Products
This vulnerability affects versions 3.5.1 and earlier of the Cisco VPN Clients for
Linux, Solaris, and Mac OS X platforms.
It does not affect the Cisco VPN Clients for any Windows platform. No other Cisco
product is affected.
Details
The Cisco VPN (Virtual Private Network) Client establishes an encrypted tunnel between
a local system and a Cisco VPN Concentrator. The tunnel provides confidentiality and
integrity for the data in transit, allowing a user on the local system to securely
connect to a corporate network via a public, possibly untrusted network.
If an overly-long profile name is given as an argument to the vpnclient command, a
buffer overflow occurs that overwrites return values on the system's stack. The
contents of the overly-long profile name could be crafted to execute arbitrary
instructions. The buffer overflow can only be exercised by executing the vpnclient
command directly on the local system.
By default, the vpnclient command is installed on a UNIX-based system as a binary
executable file with setuid permissions. Since setuid files execute with the effective
permissions of "root", the administrative user of a UNIX-based system, the arbitrary
instructions will execute with administrative permissions.
In lieu of installing fixed software, the vulnerability can be mitigated by removing
the setuid permissions on the vpnclient binary executable file as shown below. This
cannot prevent the buffer overflow from occurring, but limits the simple range of
damage that could occur.
The problem has been resolved by adding better tests for buffer overflows and by
removing unnecessary setuid permissions on executable files in the software package as
provided. Note that the cvpnd daemon, another one of the binary executable files in
the software package, retains setuid permissions to preserve its ability to change the
configuration of the network interface. This capability is essential for establishing,
managing, and removing a VPN connection.
This vulnerability is documented as CSCdx39290. Details can be viewed on-line by
registered users of Cisco's website.
Impact
The vulnerability could be exploited by a local user to execute arbitrary
instructions. If the affected binary executable file is installed with setuid
permissions, the instructions will execute with administrative permissions and could
be used to modify any part of the system without authorization. The setuid permissions
are set by default in the software package as supplied by Cisco.
Software Versions and Fixes
This vulnerability was found and reported in the Cisco VPN Client version 3.5.1 for
Linux, and has been confirmed internally in the Cisco VPN Client for Solaris and Mac
OS X. It has been repaired in version 3.5.2 for those affected platforms and is
available immediately. All previous versions on the affected platforms are considered
vulnerable. The fixes will be carried forward into all future versions.
Obtaining Fixed Software
Cisco is making fixed software available free of charge to all affected customers.
Customers with contracts should obtain upgraded software through their regular update
channels. For most customers, this means that upgrades should be obtained through the
Software Center on Cisco's worldwide website at http://www.cisco.com/.
Customers whose Cisco products are provided or maintained through prior or existing
agreement with third-party support organizations such as Cisco Partners, authorized
resellers, or service providers should contact that support organization for
assistance with the upgrade, which should be free of charge.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract
and customers who purchase through third-party vendors but are unsuccessful at
obtaining fixed software through their point of sale should get their upgrades by
contacting the Cisco Technical Assistance Center (TAC):
+1 800 553 2447 (toll-free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC
contact information, including special localized telephone numbers, instructions, and
e-mail addresses for use in various languages.
Please have your product serial number available and give the URL of this notice as
evidence of your entitlement to a free upgrade. Free upgrades for non-contract
customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for
software upgrades.
Workarounds
The vulnerability can be mitigated by removing setuid permissions on the vpnclient
executable binary file using the chmod command on the affected file as follows:
/bin/chmod 755 /usr/local/bin/vpnclient
If unfixed versions of the software are re-installed at a later date or restored from
backups, the workaround shown above must be executed again.
Note: The workaround shown above does not prevent the buffer overflow from occurring.
It merely limits the range of the simple damage that can occur if the overflow is
exploited. Customers are urged to upgrade to fixed versions of the software as soon as
possible.
Also note that the cvpnd binary executable file must retain setuid permissions in
order to operate correctly. Customers are cautioned not to use wildcards to remove
setuid permissions on files in the VPN Client software package.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any malicious exploitation nor public discussion of
this vulnerability.
This issue was reported directly to the Cisco PSIRT by methodic and Josha Bronson of
AngryPacket Security. They are simultaneously publishing a security advisory at
http://sec.angrypacket.com/advisories/0002_AP.vpnclient.txt.
Status of This Notice: FINAL
This is a final notice. Although Cisco cannot guarantee the accuracy of all statements
in this notice, all of the facts have been checked to the best of our ability. Cisco
does not anticipate issuing updated versions of this notice unless there is some
material change in the facts. Should there be a significant change in the facts, Cisco
may update this notice.
A standalone copy or paraphrase of the text of this security advisory that omits the
origin URL in the following section is an uncontrolled copy, and may lack important
information or contain factual errors.
Distribution
This notice will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-unix-vpnclient-buffer-overflow-pub.shtml.
In addition to worldwide web posting, a text version of this notice is clear-signed
with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news
recipients:
cust-security-announce@cisco.com
bugtraq@securityfocus.com
first-teams@first.org (includes CERT/CC)
cisco@spot.colorado.edu
cisco-nsp@puck.nether.net
comp.dcom.sys.cisco
firewalls@lists.gnac.com
Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's worldwide web server,
but may or may not be actively announced on mailing lists or newsgroups. Users
concerned about this problem are encouraged to check the URL given above for any
updates.
Revision History
Revision 1.0 2002/06/19 Initial public release.
Cisco Product Security Procedures
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive security
information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco security notices. All Cisco Security
Advisories are available at http://www.cisco.com/go/psirt/.
--------------------------------------------------------------------------------
This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be redistributed
freely after the release date given at the top of the text, provided that
redistributed copies are complete and unmodified, and include all date and version
information.
--------------------------------------------------------------------------------
[***** End Cisco Security Advisory: CSCdx39290 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Cisco for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-083: Microsoft Authentication Flaw in Windows Debugger
M-084: Red Hat "pam_ldap" Vulnerability
M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability
CIACTech02-004: Parasite Programs; Adware, Spyware, and Stealth Networks
M-086: Sun SEA SNMP Vulnerability
M-087: SGI IRIX rpc.passwd Vulnerability
M-088: MS Unchecked Buffer in Gopher Protocol Handler
M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability
M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability
M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
