NGS00051 Technical Advisory: Cisco VPN Client Privilege Escalation

2011.07.09
Risk: Medium
Local: Yes
Remote: No


CVSS Base Score: 6.8/10
Impact Subscore: 10/10
Exploitability Subscore: 3.1/10
Exploit range: Local
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

======= Summary ======= Name: Cisco VPN Client Privilege Escalation Release Date: 28 June 2011 Reference: NGS00051 Discoverer: Gavin Jones <gavin.jones (at) ngssecure (dot) com [email concealed]> Vendor: Cisco Vendor Reference: Systems Affected: Cisco VPN client (Windows 64 Bit) Risk: High Status: Fixed ======== TimeLine ======== Discovered: 15 February 2011 Released: 15 February 2011 Approved: 15 February 2011 Reported: 22 February 2011 Fixed: 24 March 2011 Published: 28 June 2011 =========== Description =========== The 64 Bit Cisco VPN Client for Windows 7 is affected by a local privilege escalation vulnerability that allows non-privileged users to gain administrative privileges. ================= Technical Details ================= Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Cisco VPN Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to cvpnd.exe (the executable for the Cisco VPN Service) allow unprivileged, interactive users to replace cvpnd.exe with any file. Because the Cisco VPN Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges. It is possible to work around this vulnerability without a software upgrade. The permissions applied to the file by default are shown below: C:\ >cacls "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe" C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe BUILTIN\Users:R BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F NT AUTHORITY\INTERACTIVE:F NT AUTHORITY\SYSTEM:F =============== Fix Information =============== An effective workaround for this vulnerability is to revoke access rights for NT AUTHORITY\INTERACTIVE from cvpnd.exe. For example: "C:\Program Files (x86)\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R "NT AUTHORITY\INTERACTIVE" NGS Secure Research http://www.ngssecure.com

References:

http://www.securityfocus.com/archive/1/archive/1/518638/100/0/threaded
http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml
http://isc.sans.edu/diary.html?storyid=11125


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top