{"vuid":"VU#858993","idnumber":"858993","name":"Deterministic Network Enhancer privilege escalation vulnerability","keywords":["Cisco","dne2000.sys","privilege escalation","SYSTEM","ioctl","Cisco VPN Client"],"overview":"The Deterministic Network driver contains a privilege escalation vulnerability, which can allow a local attacker to execute code with kernel privileges.","clean_desc":"Deterministic Networks provides a product called Deterministic Network Enhancer (DNE), which extends the Microsoft Windows networking stack. DNE is packaged with multiple applications, including the Cisco VPN Client. The DNE driver, which is provided by dne2000.sys, is vulnerable to privilege escalation. By making a certain ioctl to the DNE device driver, it is possible to execute code with windows kernel privileges.","impact":"A local attacker may be able to execute code with windows kernel privileges.","resolution":"Apply an update\nThis issue is addressed in dne2000.sys version 3.21.12.17902. This driver is available from the DNE support page. Cisco Windows VPN Client users should install version 5.0.03.0530, as specified in Cisco Support document CSCsm25860. SafeNet SoftRemote users should install SoftRemote version 10.8.4, and SafeNet HighAssuranceRemote users should install HighAssuranceRemote 1.8.4. These versions include the updated DNE driver. Please see the SafeNet Customer Support page for more details. For other products that provide the DNE driver, please check with the vendor for updates.","workarounds":"","sysaffected":"","thanks":"This vulnerability was reported by mu-b at Digit-Labs.","author":"This document was written by Will Dormann.","public":["http://www.digit-labs.org/files/exploits/dne2000-call.c","http://www.deterministicnetworks.com/support/dnesupport.asp","http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm25860","http://secunia.com/advisories/30728/","http://secunia.com/advisories/30753/","http://secunia.com/advisories/30744/","http://secunia.com/advisories/30747/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2008-06-17T21:11:30Z","publicdate":"2008-06-17T00:00:00Z","datefirstpublished":"2008-06-18T15:16:30Z","dateupdated":"2008-06-27T16:47:23Z","revision":10,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"20","cam_attackeraccessrequired":"10","cam_scorecurrent":"22.5","cam_scorecurrentwidelyknown":"22.5","cam_scorecurrentwidelyknownexploited":"37.5","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":22.5,"vulnote":null}