Date: Wed, 18 Sep 2002 17:41:53 +0200
From: Niels Heinen <niels.heinen@ubizen.com.>
To: [email protected]Subject: Cisco VPN 5000 client buffer overflow vulnerabilities.
**********************************************************************
Subject : Cisco VPN 5000 client buffer overflow vulnerabilities
Platforms : Linux and Solaris
Versions : Linux versions prior to 5.2.7 and Solaris versions prior
to 5.2.8 are affected.
**********************************************************************
The impact:
Abuse of these vulnerabilities can allow local users to gain
super-user privileges. The affected systems are therefore
at risk of being compromised.
Problem description:
In June, Ubizen SIL identified multiple buffer overflow vulnerabilities
in the Cisco VPN 5000 client software for the Linux and Solaris
operating systems.
The close_tunnel and open_tunnel binaries, which are installed
setuid root by default, insecurely copy user input that is received
during command-line execution, into static memory buffers.
These programs fail to check whether the input fits into the
reserved memory buffers, which can lead to buffer overflow conditions
that allow arbitrary code to be executed with root privileges.
Vendor status:
Cisco, who immediately was contacted about these vulnerabilities,
has released fixed software for its affected customers:
- Solaris users should upgrade to version 5.2.8.
- Linux users should upgrade to version 5.2.7.
More information about how to obtain the fixed software packages
can be found in the advisory that is released by Cisco:
http://cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml
This Cisco advisory also discusses a security problem found in
the Mac OS VPN 5000 client.
Workaround:
Abuse of these buffer overflow vulnerabilities can be prevented by
removing the setuid permissions from the 'close_tunnel' and
'open_tunnel' binaries. This can be done by issuing the commands:
chmod -s /usr/local/bin/close_tunnel
chmod -s /usr/local/bin/open_tunnel
Note that after applying this workaround, the affected programs can
only be executed by system administrators that have root privileges.
**********************************************************************
All information, advice and statements are provided "AS IS", without
any warranty of any kind, express or implied, including but not
limited to, warranties of accuracy, timeliness, non-infringement
or fitness for a particular purpose. Ubizen assumes no liability
for any loss or damage whatsoever (direct, indirect, consequential
or otherwise). The use of and/or reliance on any of the information,
advice or statements provided will be at the sole risk of the
using/relying party.
Copyright (c) 2002 by Ubizen N.V. All rights reserved. Ubizen,
DMZ/Shield, OnlineGuardian and SEAM are trademarks or registered
trademarks of Ubizen N.V. All other trademarks or registered
trademarks are the property of their respective owners.
**********************************************************************