Technical Description

Two vulnerabilities have been identified in Cisco VPN Client, which could be exploited by malicious users to obtain elevated privileges.

The first issue is caused by an error when using a VPN profile that is configured to utilize MS dial-up networking to launch a dial-up networking dialog box, which could be exploited by local attackers to gain SYSTEM privileges by enabling the Start Before Logon (SBL) feature and configuring a VPN profile.

The second vulnerability is caused due to insecure default file permissions being set on the "cvpnd.exe" file, which could be exploited by attackers to replace the affected file with a malicious binary and gain SYSTEM privileges.

Affected Products

Cisco VPN Client versions prior to 4.8.02.0010
Cisco VPN Client versions prior to 5.0.01.0600

Solution

Upgrade to Cisco VPN Client version 4.8.02.0010 or 5.0.01.0600 :
http://www.cisco.com/pcgi-bin/tablebuild.pl/windows?psrtdcat20e2

References

http://www.vupen.com/english/advisories/2007/2903
http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml

Credits

Vulnerabilities reported by a customer and Dominic Beecher (Next Generation Security Software).

ChangeLog

2007-08-16 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.