• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Cisco VPN Client Privilege Escalation Vulnerability

Severity: MODERATE

Description:

The Cisco VPN client is used to allow a Windows client system to connect to a virtual private network through a Cisco networking device.

The Cisco VPN client could allow a local user to escalate their privilege level.

The VPN client can be configured to run prior to Windows logon so that a user can authenticate to the remote domain through the VPN. When the client is configured in such a way, it executes with local System privileges.

The VPN client can also be configured to execute a third party application, such as a phone dialer. However, any executable can be specified as the third party application to be started. Any application launched in this manner will also be executed with local System privileges.

If an executable such as explorer.exe were launched in this manner, a local attacker would be able to escalate their privilege level. It is important to note that the attacker would need to be able to login to the system in order to make the necessary changes to the VPN client.

A variant of this issue was reported that affects versions of the VPN client which were thought to not be vulnerable. This new variant involves replacing VPN binaries with arbitrary executables. A new BID will be created to reflect the details of the variant issue.

Affected Products:

• Cisco VPN Client for Windows 3.0.0
• Cisco VPN Client for Windows 3.0.5
• Cisco VPN Client for Windows 3.1.0
• Cisco VPN Client for Windows 3.5.1
• Cisco VPN Client for Windows 3.5.1C
• Cisco VPN Client for Windows 3.5.2
• Cisco VPN Client for Windows 3.5.2B
• Cisco VPN Client for Windows 3.5.4
• Cisco VPN Client for Windows 3.6.0
• Cisco VPN Client for Windows 3.6.0(Rel)
• Cisco VPN Client for Windows 3.6.1

References:

• Cisco Systems: VPN Client

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.