Mitre assigned CVE-2015-7600
An alternative, but no less accurate title to this article would be ‘why you shouldn’t stick with non-supported software’. On the 30th of July 2014, the widely used Cisco Systems VPN Client v5.x went out of support. Unfortunately announcing the end-of-life support for a software product doesn’t necessarily mean that whoever uses it will instantly migrate to the newer solution. This basically means that any computer host using such a product will forever be vulnerable to any newly discovered security holes in it.
Unfortunately for anyone still using the un-supported application, we have discovered a vulnerability in this software. Even though some issues can temporarily be addressed by an administrator, this should only be considered a lucky and temporary convenience, rather than a permanent solution to the problem. As more vulnerabilities like this are uncovered in an application that is not supported anymore by its vendor, these might give more access points to an attacker to compromise a corporate network.
The ‘vpnclient.ini’ file keeps important configuration settings for the VPN Client, but allows any logged on user (Guest included) to write to that file. Since the VPN Client gives the option to setup an executable to run every time a user connects on a VPN server, and because this setting is stored inside the aforementioned ‘.ini’ file, a local attacker can set his own program to run which will be executed every time another user, such as an Administrator, uses the VPN Client. Executing this additional program can be totally transparent to the legitimate user. This setting can also be set from the ‘Options’ menu of the ‘vpngui.exe’ program and an example of the reflected changes in the ‘vpnclient.ini’ file would be:
[ApplicationLauncher] Enable=1 Command=‘Command=C:\Users\Guest\Desktop\cmd2.exe’
Cisco Systems VPN Client is vulnerable to privilege escalation due to weak ACLs assigned to one of the files that store important configuration settings. This issue can allow a user from a limited account to perform actions that they are not authorised to do. Depending on who is using the VPN Client application, a local attacker can either execute code in the security context of another user with the same privileges, or with a user with higher privileges, such as an administrator.
Nettitude tested this on the latest v5.x version (5.0.07.0440) that we managed to obtain for Windows 7 x64. However, earlier versions are quite likely affected by this issue.
As mentioned already, this product is not officially supported anymore and, for that reason, it is a fair decision of Cisco not to provide a patch for it. This is a typical example of an underlying issue for a fairly popular application only coming to light after it is not technically supported anymore. Hopefully this will raise some awareness and force some system administrators to think twice before they decide to stick with any non-supported applications, just because ‘they work’.
To contact Nettitude, please email firstname.lastname@example.org.