Cisco VPN 5000 client buffer overflow vulnerabilities.

From: Niels Heinen (niels.heinenat_private)
Date: Wed Sep 18 2002 - 08:41:53 PDT

Next message: SGI Security Coordinator: "[VulnWatch] IRIX IGMP multicast report Denial of Service vulnerability"

Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Microsoft Windows SMB Denial of Service Vulnerabilities in Cisco Products - MS02-045"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

**********************************************************************

Subject   : Cisco VPN 5000 client buffer overflow vulnerabilities
Platforms : Linux and Solaris
Versions  : Linux versions prior to 5.2.7 and Solaris versions prior 
            to 5.2.8 are affected. 

**********************************************************************


The impact:
-----------

Abuse of these vulnerabilities can allow local users to gain
super-user privileges. The affected systems are therefore
at risk of being compromised.


Problem description:
--------------------

In June, Ubizen SIL identified multiple buffer overflow vulnerabilities
in the Cisco VPN 5000 client software for the Linux and Solaris
operating systems.

The close_tunnel and open_tunnel binaries, which are installed
setuid root by default, insecurely copy user input that is received
during command-line execution, into static memory buffers. 

These programs fail to check whether the input fits into the
reserved memory buffers, which can lead to buffer overflow conditions 
that allow arbitrary code to be executed with root privileges.


Vendor status:
--------------

Cisco, who immediately was contacted about these vulnerabilities,
has released fixed software for its affected customers:

  -  Solaris users should upgrade to version 5.2.8. 
  -  Linux users should upgrade to version 5.2.7.

More information about how to obtain the fixed software packages
can be found in the advisory that is released by Cisco:

http://cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml

This Cisco advisory also discusses a security problem found in 
the Mac OS VPN 5000 client.


Workaround:
-----------

Abuse of these buffer overflow vulnerabilities can be prevented by
removing the setuid permissions from the 'close_tunnel' and
'open_tunnel' binaries. This can be done by issuing the commands:

chmod -s /usr/local/bin/close_tunnel
chmod -s /usr/local/bin/open_tunnel

Note that after applying this workaround, the affected programs can
only be executed by system administrators that have root privileges. 


**********************************************************************
All information, advice and statements are provided "AS IS", without
any warranty of any kind, express or implied, including but not
limited to, warranties of accuracy, timeliness, non-infringement
or fitness for a particular purpose. Ubizen assumes no liability
for any loss or damage whatsoever (direct, indirect, consequential
or otherwise).  The use of and/or reliance on any of the information,
advice or statements provided will be at the sole risk of the
using/relying party.

Copyright (c) 2002 by Ubizen N.V.  All rights reserved. Ubizen,
DMZ/Shield, OnlineGuardian and SEAM are trademarks or registered
trademarks of Ubizen N.V.  All other trademarks or registered
trademarks are the property of their respective owners.
**********************************************************************

Next message: SGI Security Coordinator: "[VulnWatch] IRIX IGMP multicast report Denial of Service vulnerability"
Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Microsoft Windows SMB Denial of Service Vulnerabilities in Cisco Products - MS02-045"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 13:30:42 PDT