BID:25332

Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities

Info

Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities

Bugtraq ID:	25332
Class:	Unknown
CVE:	CVE-2007-4415 CVE-2007-4414
Remote:	No
Local:	Yes
Published:	Aug 15 2007 12:00AM
Updated:	Jul 05 2016 10:00PM
Credit:	A customer reported the Dial-Up Networking issue to the vendor. Dominic Beecher of Next Generation Security Software Ltd. reported the 'cvpnd.exe' issue to the vendor, and provided them with a workaround.
Vulnerable:	Cisco VPN Client for Windows 5.0.1 Cisco VPN Client for Windows 4.8.2 Cisco VPN Client for Windows 4.8.1 Cisco VPN Client for Windows 4.8 Cisco VPN Client for Windows 4.7 .0533 Cisco VPN Client for Windows 4.0.2 C Cisco VPN Client for Windows 4.0.2 A Cisco VPN Client for Windows 3.6.1 Cisco VPN Client for Windows 3.6 (Rel) Cisco VPN Client for Windows 3.6 Cisco VPN Client for Windows 3.5.4 Cisco VPN Client for Windows 3.5.2 B Cisco VPN Client for Windows 3.5.2 Cisco VPN Client for Windows 3.5.1 C Cisco VPN Client for Windows 3.5.1 Cisco VPN Client for Windows 3.1 Cisco VPN Client for Windows 3.0.5 Cisco VPN Client for Windows 3.0 Cisco VPN Client for Windows 2.0 Cisco VPN Client for Windows 4.7 Cisco VPN Client for Windows 4.6 Cisco VPN Client 0

Not Vulnerable:	Cisco VPN Client for Windows 5.0.1 .0600 Cisco VPN Client for Windows 4.8.2 .0010

Discussion

Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities

Cisco VPN Client for Windows is prone to multiple local privilege-escalation vulnerabilities.

Successfully exploiting these issues allows attackers with local, interactive access to affected computers to gain SYSTEM-level privileges. This facilitates the complete compromise of affected computers.

Versions prior to 4.8.02.0010 and 5.0.01.0600 of Cisco VPN Client for the Microsoft Windows platform are vulnerable to these issues.

These issues are tracked as Cisco Bug IDs CSCse89550 and CSCsj00785.

Exploit / POC

Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities

Specific exploit code is not required.

Attackers interact with the application to exploit the Dial-Up Networking issue, and utilize standard utilities to exploit the 'cvpnd.exe' issue.

Solution / Fix

Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities

Solution:
Cisco has released an advisory, along with fixes to address these issues. Please see the references for more information.

References

Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities

References:

VPN Client (Cisco Systems)
Cisco Security Advisory: Local Privilege Escalation Vulnerabilities in Cisco VPN (Cisco Systems Product Security Incident Response Team )
Local privilege escalation vulnerability in Cisco VPN client (NGSSoftware Insight Security Research )
NGS00051 Patch Notification: Cisco VPN Client Privilege Escalation ("Research@NGSSecure" )
NGS00051 Technical Advisory: Cisco VPN Client Privilege Escalation ("Research@NGSSecure" )
Cisco Security Advisory: Local Privilege Escalation Vulnerabilities in Cisco VPN (Cisco)