Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Deja-Vu: Cisco VPN Windows Client Privilege Escalation SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Deja-Vu: Cisco VPN Windows Client Privilege Escalation

Cisco released earlier today a bulletin regarding a vulnerability in the Cisco VPN client for Windows 7. The vulnerability is pretty simple: The client runs as a service, and all users logged in interactively have full access to the executable. A user could now replace the executable, restart the system and have the replacement running under the LocalSystem account.

The fix is pretty simple: Revoke the access rights for interactive users.

The interesting part : NGS Secure Research found the vulnerability, and released the details after Cisco released the patch [1]. The vulnerability is almost identical to one found in 2007 by the same company in the same product [2]

Very sad at times how some vendors don't learn. Lucky that at least companies like NGS appear to be doing some of the QA for them.

[1] http://www.securityfocus.com/archive/1/518638
[2] http://www.securityfocus.com/archive/1/476812

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3697 Posts
ISC Handler
Actually, Cisco's bulletin for this was updated in March when the problem was actually fixed.
Jim

412 Posts
ISC Handler
Can someone explain this a bit. Since permissions are inherited for the most part, would any service executable residing in the Program Files directory be similarly vulnerable or did Cisco somehow modify the default permssions? Thanks in advance.
Dean

135 Posts

Sign Up for Free or Log In to start participating in the conversation!