The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Nortel SSL VPN Net Direct Client: privilege elevation

Synthesis of the vulnerability 

A local attacker can obtain root privileges via several vulnerabilities of Unix VPN client.
Vulnerable systems: Contivity VPN/Gateway, Nortel VPN Router.
Severity of this threat: 2/4.
Creation date: 21/02/2007.
Références of this weakness: BID-22632, VIGILANCE-VUL-6578.

Description of the vulnerability 

When the Unix VPN client initializes a SSL session:
 - a zip archive containing 3 programs (askpass, client and surun) is downloaded
 - it is stored under /tmp with the mode 0777
 - it is extracted in the /tmp/NetClient directory
 - the mode of these 3 programs is changed to read-write for all users
 - the /tmp/NetClient/surun program is run
 - the /tmp/NetClient/askpass program is run
 - the /tmp/NetClient/client program is run as root

This procedure has several errors.

A local attacker can for example inject a Trojan in /tmp/NetClient/client. This vulnerability then permits him to obtain root privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity threat impacts software or systems such as Contivity VPN/Gateway, Nortel VPN Router.

Our Vigil@nce team determined that the severity of this computer threat note is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security threat.

Solutions for this threat 

Nortel SSL VPN Net Direct Client: version 6.0.5.
Version 6.0.5 is corrected:
  http://www130.nortelnetworks.com/go/main.jsp?level=6&category=8&subcategory=7&subtype=&DocumentOID=540071&RenditionID=REND837510
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security announce. The Vigil@nce vulnerability database contains several thousand vulnerabilities.