NetworkManager VPNC plugin: Privilege escalation — GLSA 201808-03

A vulnerability in NetworkManager VPNC plugin allows local users to escalate privileges.

Affected Packages

net-misc/networkmanager-vpnc on all architectures
Affected versions < 1.2.6
Unaffected versions >= 1.2.6

Background

NetworkManager is an universal network configuration daemon for laptops, desktops, servers and virtualization hosts.

The VPNC plugin provides easy access Cisco Concentrator based VPN’s utilizing NetworkManager.

Description

When initiating a VPNC connection, NetworkManager spawns a new vpnc process and passes the configuration via STDIN. By injecting a special character into a configuration parameter, an attacker can coerce NetworkManager to set the Password helper option to an attacker controlled executable file.

Impact

A local attacker is able to escalate privileges via a specially crafted configuration file.

Workaround

There is no known workaround at this time.

Resolution

All NetworkManager VPNC plugin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=net-misc/networkmanager-vpnc-1.2.6"
 

References

Release Date
August 22, 2018

Latest Revision
August 22, 2018: 1

Severity
normal

Exploitable
local

Bugzilla entries