September 20, 2002, 3:05 PM — New vulnerabilties discovered in the Cisco Virtual Private Network (VPN) 5000 Client software could allow an attacker to gain root access to a local workstation running the VPN client software or to capture password information used by the client, according to statements released by security company Ubizen NV and by Cisco Systems, Inc. Thursday.
The root access vulnerability affects versions of the VPN 5000 Client for Linux and Solaris, while the password vulnerability affects the VPN 5000 Client for Macintosh.
Cisco, in San Jose California, released a security advisory covering the vulnerabilities late Wednesday, and provided links to the related Cisco bug identifiers and software updates on its Web site.
In the case of the vulnerability affecting VPN 5000 clients for the Linux and Solaris, two buffer overflow conditions were discovered by engineers at Ubizen, based in Reston, Virginia, that could enable an attacker who was logged on to the remote workstation to assign root privileges to their own log-in account, essentially giving that user total administrative control of the workstation and open access to data stored on that machine. The vulnerability was discovered during testing of the VPN 5000 Client by Ubizen, a Cisco Managed Security Services partner.
By exploiting buffer overflows in the close_tunnel and open_tunnel binaries used by the client, attackers could alter processes used by the client that have root privileges on the local machine, transferring those privileges to the user's log-in account, said Niels Heinen, a security assurance engineer at Ubizen.
The overflow condition is easy to exploit and doesn't require any special knowledge of VPN technology according to Heinen, who reported the issue to Cisco in early July.
"It's an easy exploit -- the kind you see in buffer overflow tutorials. It doesn't require a tremendous amount of technical knowledge to use it," Heinen said.
The buffer overflow vulnerability would require local access to the machine running the VPN Client, and would only compromise the security of the local workstation, not the security of the remote networks connected to by the VPN Client, Heinen said.
The vulnerabilities affect Cisco VPN Client software version 5.2.7 for Linux and VPN Client software version 5.2.8 for Solaris. Cisco assigned bug ID CSCdy20065 to the vulnerability.
In the case of the VPN Client password vulnerability affecting VPN 5000 clients for the Mac operating system, it was discovered that the password used to log in to a remote network connection was being stored in clear text and could easily be read by an attacker using a common resource editing tool such as ResEdit, providing the attacker had access to the remote workstation.
The bug affects all Cisco VPN 5000 Client software prior to version 5.2.2. Cisco assigned bug ID CSCdx17109 to the vulnerability.