Details of VAR-200708-0373

ID

VAR-200708-0373

CVE

CVE-2007-4415

TITLE

Cisco VPN Client Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2007-002520

DESCRIPTION

Cisco VPN Client on Windows before 5.0.01.0600, and the 5.0.01.0600 InstallShield (IS) release, uses weak permissions for cvpnd.exe (Modify granted to Interactive Users), which allows local users to gain privileges via a modified cvpnd.exe. Cisco VPN Client for Windows is prone to multiple local privilege-escalation vulnerabilities. Successfully exploiting these issues allows attackers with local, interactive access to affected computers to gain SYSTEM-level privileges. This facilitates the complete compromise of affected computers. Versions prior to 4.8.02.0010 and 5.0.01.0600 of Cisco VPN Client for the Microsoft Windows platform are vulnerable to these issues. These issues are tracked as Cisco Bug IDs CSCse89550 and CSCsj00785. 1. Local privileges over Microsoft Windows Dial-Up Networking interfaces Elevating a non-privileged user can be done by enabling the Start Before Logon (SBL) feature and configuring the VPN configuration to use the Microsoft Dial-Up Networking interface to elevate privileges to that of a LocalSystem account user. Note that configuring these two settings does not require the user to have administrative privileges. 2. Unprivileged users can obtain privilege escalation through the use of any executable program Replacing the Cisco VPN Service executable causes arbitrary programs to run with the privileges of the LocalSystem account

Trust: 1.98

sources: NVD: CVE-2007-4415 // JVNDB: JVNDB-2007-002520 // BID: 25332 // VULHUB: VHN-27777

AFFECTED PRODUCTS

vendor:	cisco	model:	vpn client	scope:	eq	version:	5.0.01.0600	Trust: 1.6
vendor:	cisco	model:	vpn client	scope:	lte	version:	5.0.01	Trust: 1.0
vendor:	cisco	model:	vpn client	scope:	lt	version:	5.0.01.0600	Trust: 0.8
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.6	Trust: 0.6
vendor:	cisco	model:	vpn client	scope:	eq	version:	5.0.01	Trust: 0.6
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	4.8.2	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	4.8.1	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	4.8	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	4.7.0533	Trust: 0.3
vendor:	cisco	model:	vpn client for windows c	scope:	eq	version:	4.0.2	Trust: 0.3
vendor:	cisco	model:	vpn client for windows a	scope:	eq	version:	4.0.2	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.6.1	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.5.4	Trust: 0.3
vendor:	cisco	model:	vpn client for windows b	scope:	eq	version:	3.5.2	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.5.2	Trust: 0.3
vendor:	cisco	model:	vpn client for windows c	scope:	eq	version:	3.5.1	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.5.1	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.1	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.0.5	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	3.0	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	2.0	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	4.7	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	eq	version:	4.6	Trust: 0.3
vendor:	cisco	model:	vpn client	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	ne	version:	5.0.1.0600	Trust: 0.3
vendor:	cisco	model:	vpn client for windows	scope:	ne	version:	4.8.2.0010	Trust: 0.3

sources: BID: 25332 // JVNDB: JVNDB-2007-002520 // CNNVD: CNNVD-200708-300 // NVD: CVE-2007-4415

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2007-4415
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2007-4415
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200708-300
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-27777
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2007-4415
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-27777
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-27777 // JVNDB: JVNDB-2007-002520 // CNNVD: CNNVD-200708-300 // NVD: CVE-2007-4415

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2007-4415

THREAT TYPE

local

Trust: 0.9

sources: BID: 25332 // CNNVD: CNNVD-200708-300

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200708-300

CONFIGURATIONS

sources: JVNDB: JVNDB-2007-002520

PATCH

title:

cisco-sa-20070815-vpnclient

url:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070815-vpnclient

Trust: 0.8

sources: JVNDB: JVNDB-2007-002520

EXTERNAL IDS

db:	NVD	id:	CVE-2007-4415	Trust: 2.8
db:	BID	id:	25332	Trust: 2.0
db:	SECUNIA	id:	26459	Trust: 1.7
db:	SECTRACK	id:	1018573	Trust: 1.7
db:	VUPEN	id:	ADV-2007-2903	Trust: 1.7
db:	SREASON	id:	3023	Trust: 1.7
db:	JVNDB	id:	JVNDB-2007-002520	Trust: 0.8
db:	BUGTRAQ	id:	20070816 LOCAL PRIVILEGE ESCALATION VULNERABILITY IN CISCO VPN CLIENT	Trust: 0.6
db:	XF	id:	36032	Trust: 0.6
db:	CISCO	id:	20070815 LOCAL PRIVILEGE ESCALATION VULNERABILITIES IN CISCO VPN CLIENT	Trust: 0.6
db:	CNNVD	id:	CNNVD-200708-300	Trust: 0.6
db:	VULHUB	id:	VHN-27777	Trust: 0.1

sources: VULHUB: VHN-27777 // BID: 25332 // JVNDB: JVNDB-2007-002520 // CNNVD: CNNVD-200708-300 // NVD: CVE-2007-4415

REFERENCES

url:	http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml	Trust: 2.0
url:	http://www.securityfocus.com/bid/25332	Trust: 1.7
url:	http://securitytracker.com/id?1018573	Trust: 1.7
url:	http://secunia.com/advisories/26459	Trust: 1.7
url:	http://securityreason.com/securityalert/3023	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/476812/100/0/threaded	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2007/2903	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/36032	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-4415	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-4415	Trust: 0.8
url:	http://www.frsirt.com/english/advisories/2007/2903	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/476812/100/0/threaded	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/36032	Trust: 0.6
url:	http://www.cisco.com/en/us/products/sw/secursw/ps2308/index.html	Trust: 0.3
url:	/archive/1/476651	Trust: 0.3
url:	/archive/1/476812	Trust: 0.3
url:	/archive/1/517180	Trust: 0.3
url:	/archive/1/518638	Trust: 0.3

sources: VULHUB: VHN-27777 // BID: 25332 // JVNDB: JVNDB-2007-002520 // CNNVD: CNNVD-200708-300 // NVD: CVE-2007-4415

CREDITS

Dominic Beecher dominic@ngssoftware.com

Trust: 0.6

sources: CNNVD: CNNVD-200708-300

SOURCES

db:	VULHUB	id:	VHN-27777
db:	BID	id:	25332
db:	JVNDB	id:	JVNDB-2007-002520
db:	CNNVD	id:	CNNVD-200708-300
db:	NVD	id:	CVE-2007-4415

LAST UPDATE DATE

2024-11-23T22:36:08.377000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-27777	date:	2018-10-15T00:00:00
db:	BID	id:	25332	date:	2016-07-05T22:00:00
db:	JVNDB	id:	JVNDB-2007-002520	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200708-300	date:	2007-08-28T00:00:00
db:	NVD	id:	CVE-2007-4415	date:	2024-11-21T00:35:32.450

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-27777	date:	2007-08-18T00:00:00
db:	BID	id:	25332	date:	2007-08-15T00:00:00
db:	JVNDB	id:	JVNDB-2007-002520	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200708-300	date:	2007-08-18T00:00:00
db:	NVD	id:	CVE-2007-4415	date:	2007-08-18T21:17:00