Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: m-092.txt

Cisco Buffer Overflow in UNIX VPN Client (CIAC M-092)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                    Cisco Buffer Overflow in UNIX VPN Client
                     [Cisco Security Advisory: CSCdx39290]

June 19, 2002 18:00 GMT                                           Number M-092
______________________________________________________________________________
PROBLEM:       Cisco has identified a buffer overflow in the Cisco VPN Clients 
               for Linux, Solaris, and Mac OS X platforms. By default, the 
               vpnclient command is installed on a UNIX-based system as a 
               binary executable file with setuid permissions. 
PLATFORM:      Versions 3.5.1 and earlier of the Cisco VPN Clients for Linux, 
               Solaris, and Mac OS X platforms. 
DAMAGE:        If exploited, a local user could gain root access. 
SOLUTION:      Remove the setuid permissions on the vpnclient binary 
               executable file as outlined in this advisory or upgrade to 
               version 3.5.2. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The buffer overflow can only be exercised
ASSESSMENT:    by executing the vpnclient command directly on the local system. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-092.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.cisco.com/warp/public/707/
                             cisco-unix-vpnclient-buffer-overflow-pub.shtml
______________________________________________________________________________

[***** Start Cisco Security Advisory: CSCdx39290 *****]

Cisco Security Advisory: Buffer Overflow in UNIX VPN Client
Revision 1.0
For Public Release 2002 June 19 at 14:00 GMT

--------------------------------------------------------------------------------

Contents 
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice
Distribution
Revision History
Cisco Product Security Procedures

--------------------------------------------------------------------------------

Summary
A buffer overflow in the Cisco VPN Clients for Linux, Solaris, and Mac OS X platforms 
can be exploited locally to gain administrative privileges on the client system. The 
vulnerability can be mitigated by removing the "setuid" permissions on the vpnclient 
binary executable file. The Cisco VPN Clients for Windows platforms are not affected.

The vulnerability has been repaired in version 3.5.2. Cisco is making fixed software 
available free to affected customers. This issue is documented as CSCdx39290. Cisco is 
not aware of any public discussion or active exploitation of this vulnerability.

The official current copy of this security advisory is available at 
http://www.cisco.com/warp/public/707/cisco-unix-vpnclient-buffer-overflow-pub.shtml. 

Affected Products
This vulnerability affects versions 3.5.1 and earlier of the Cisco VPN Clients for 
Linux, Solaris, and Mac OS X platforms.

It does not affect the Cisco VPN Clients for any Windows platform. No other Cisco 
product is affected.

Details
The Cisco VPN (Virtual Private Network) Client establishes an encrypted tunnel between 
a local system and a Cisco VPN Concentrator. The tunnel provides confidentiality and 
integrity for the data in transit, allowing a user on the local system to securely 
connect to a corporate network via a public, possibly untrusted network.

If an overly-long profile name is given as an argument to the vpnclient command, a 
buffer overflow occurs that overwrites return values on the system's stack. The 
contents of the overly-long profile name could be crafted to execute arbitrary 
instructions. The buffer overflow can only be exercised by executing the vpnclient 
command directly on the local system.

By default, the vpnclient command is installed on a UNIX-based system as a binary 
executable file with setuid permissions. Since setuid files execute with the effective 
permissions of "root", the administrative user of a UNIX-based system, the arbitrary 
instructions will execute with administrative permissions.

In lieu of installing fixed software, the vulnerability can be mitigated by removing 
the setuid permissions on the vpnclient binary executable file as shown below. This 
cannot prevent the buffer overflow from occurring, but limits the simple range of 
damage that could occur.

The problem has been resolved by adding better tests for buffer overflows and by 
removing unnecessary setuid permissions on executable files in the software package as 
provided. Note that the cvpnd daemon, another one of the binary executable files in 
the software package, retains setuid permissions to preserve its ability to change the 
configuration of the network interface. This capability is essential for establishing, 
managing, and removing a VPN connection.

This vulnerability is documented as CSCdx39290. Details can be viewed on-line by 
registered users of Cisco's website.

Impact
The vulnerability could be exploited by a local user to execute arbitrary 
instructions. If the affected binary executable file is installed with setuid 
permissions, the instructions will execute with administrative permissions and could 
be used to modify any part of the system without authorization. The setuid permissions 
are set by default in the software package as supplied by Cisco.

Software Versions and Fixes
This vulnerability was found and reported in the Cisco VPN Client version 3.5.1 for 
Linux, and has been confirmed internally in the Cisco VPN Client for Solaris and Mac 
OS X. It has been repaired in version 3.5.2 for those affected platforms and is 
available immediately. All previous versions on the affected platforms are considered 
vulnerable. The fixes will be carried forward into all future versions.

Obtaining Fixed Software 
Cisco is making fixed software available free of charge to all affected customers.

Customers with contracts should obtain upgraded software through their regular update 
channels. For most customers, this means that upgrades should be obtained through the 
Software Center on Cisco's worldwide website at http://www.cisco.com/.

Customers whose Cisco products are provided or maintained through prior or existing 
agreement with third-party support organizations such as Cisco Partners, authorized 
resellers, or service providers should contact that support organization for 
assistance with the upgrade, which should be free of charge.

Customers who purchase direct from Cisco but who do not hold a Cisco service contract 
and customers who purchase through third-party vendors but are unsuccessful at 
obtaining fixed software through their point of sale should get their upgrades by 
contacting the Cisco Technical Assistance Center (TAC):

+1 800 553 2447 (toll-free from within North America) 
+1 408 526 7209 (toll call from anywhere in the world) 
e-mail: tac@cisco.com 
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC 
contact information, including special localized telephone numbers, instructions, and 
e-mail addresses for use in various languages.

Please have your product serial number available and give the URL of this notice as 
evidence of your entitlement to a free upgrade. Free upgrades for non-contract 
customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for 
software upgrades.

Workarounds
The vulnerability can be mitigated by removing setuid permissions on the vpnclient 
executable binary file using the chmod command on the affected file as follows:

/bin/chmod 755 /usr/local/bin/vpnclient

If unfixed versions of the software are re-installed at a later date or restored from 
backups, the workaround shown above must be executed again.

Note: The workaround shown above does not prevent the buffer overflow from occurring. 
It merely limits the range of the simple damage that can occur if the overflow is 
exploited. Customers are urged to upgrade to fixed versions of the software as soon as 
possible.

Also note that the cvpnd binary executable file must retain setuid permissions in 
order to operate correctly. Customers are cautioned not to use wildcards to remove 
setuid permissions on files in the VPN Client software package.

Exploitation and Public Announcements
The Cisco PSIRT is not aware of any malicious exploitation nor public discussion of 
this vulnerability.

This issue was reported directly to the Cisco PSIRT by methodic and Josha Bronson of 
AngryPacket Security. They are simultaneously publishing a security advisory at 
http://sec.angrypacket.com/advisories/0002_AP.vpnclient.txt.

Status of This Notice: FINAL
This is a final notice. Although Cisco cannot guarantee the accuracy of all statements 
in this notice, all of the facts have been checked to the best of our ability. Cisco 
does not anticipate issuing updated versions of this notice unless there is some 
material change in the facts. Should there be a significant change in the facts, Cisco 
may update this notice.

A standalone copy or paraphrase of the text of this security advisory that omits the 
origin URL in the following section is an uncontrolled copy, and may lack important 
information or contain factual errors.

Distribution
This notice will be posted on Cisco's worldwide website at 
http://www.cisco.com/warp/public/707/cisco-unix-vpnclient-buffer-overflow-pub.shtml. 
In addition to worldwide web posting, a text version of this notice is clear-signed 
with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news 
recipients: 

cust-security-announce@cisco.com 
bugtraq@securityfocus.com 
first-teams@first.org (includes CERT/CC) 
cisco@spot.colorado.edu 
cisco-nsp@puck.nether.net 
comp.dcom.sys.cisco 
firewalls@lists.gnac.com 
Various internal Cisco mailing lists 
Future updates of this notice, if any, will be placed on Cisco's worldwide web server, 
but may or may not be actively announced on mailing lists or newsgroups. Users 
concerned about this problem are encouraged to check the URL given above for any 
updates. 

Revision History

Revision 1.0 2002/06/19 Initial public release. 

Cisco Product Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, 
obtaining assistance with security incidents, and registering to receive security 
information from Cisco, is available on Cisco's worldwide website at 
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes 
instructions for press inquiries regarding Cisco security notices. All Cisco Security 
Advisories are available at http://www.cisco.com/go/psirt/.

--------------------------------------------------------------------------------

This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be redistributed 
freely after the release date given at the top of the text, provided that 
redistributed copies are complete and unmodified, and include all date and version 
information. 

--------------------------------------------------------------------------------

[***** End Cisco Security Advisory: CSCdx39290 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Cisco for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-083: Microsoft Authentication Flaw in Windows Debugger
M-084: Red Hat "pam_ldap" Vulnerability
M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability
CIACTech02-004: Parasite Programs; Adware, Spyware, and Stealth Networks
M-086: Sun SEA SNMP Vulnerability
M-087: SGI IRIX rpc.passwd Vulnerability
M-088: MS Unchecked Buffer in Gopher Protocol Handler
M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability
M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability
M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH