Weaknesses in some Cisco software could prevent users accessing their organisation's virtual private networks.
All Cisco virtual private network (VPN) client software earlier than versions 3.6 and 3.5.4 - including Cisco Secure VPN Client and Cisco VPN 3000 Client - are affected by what Cisco describes as "multiple vulnerabilities".
According to a Cisco security advisory, "exploitation of these vulnerabilities prevents the Cisco VPN Client software from functioning correctly and there are no workarounds available to mitigate the effects". Cisco's VPN 5000 Client is unaffected.
Cisco New Zealand manager Tim Hemingway says the problem is a buffer overflow which would not affect all users, and only those in specific situations. "It's not a security vulnerability at all, so there is no issue with third parties getting hold of any data."
Hemingway says a patch has been available since August 12, when Cisco issued an advisory on the problem.
He says only a very small number of organisations could be affected by the problem.
"One is a university network and so we have acted very quickly to ensure they have the upgrades to rollout on their VPN solution."
Hemingway knows of no attacks using the vulnerability.
"And in most cases it would only require the VPN session to be reset by rebooting the PC."
He says Cisco partners have been advised so they can follow up with their customers.
"It certainly doesn't appear to have been customer-impacting at all in NZ and I am more than happy we have followed the correct processes to make sure we minimise any potential impact."
The affected software runs on Microsoft, Linux Red Hat 6.2 with kernel 2.2.12 and later (but not 2.5) on Intel, as well as Sun's Solaris UltraSPARC on 32-bit kernel OS 2.6 and later. Mac OS X 10.1.0 and later is also vulnerable if running the clients.
A further patch, to be integrated into VPN Client 3.5.4 and later, will be available from September 30.