Advisory ID: SYSS-2018-039 Product: NCP Secure Enterprise Client Manufacturer: NCP engineering GmbH Affected Version(s): 11.10 Build 39552, 11.11 Build 40377 Tested Version(s): 11.10 Build 39552, 11.11 Build 40377 Vulnerability Type: Command Execution Risk Level: High Solution Status: Open Manufacturer Notification: 2018-12-03 Solution Date: 2018-12-07 Public Disclosure: 2020-03-25 CVE Reference: CVE-2020-10677 Author of Advisory: Philipp Buchegger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: NCP Secure Enterprise Client is a VPN client that allows connecting to company networks. It can be configured to connect to VPNs before authentication with active directory credentials. The manufacturer describes the product as follows (see [1]): "This VPN Client Suite is available for Windows 10, Windows 8.x and Windows 7. The highly secure communication software is designed for use in any remote access VPN environment." Due to the execution of the program before a successful login to the operating system, the software is executed with SYSTEM privileges. The Windows file select dialog allows accessing the file system. An attacker could exploit this vulnerability to fully compromise the affected computer system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Arbitrary code can be executed with SYSTEM privileges without prior authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The described security vulnerability can be exploited via the following steps: 1. Select "NCP Secure Enterprise Client" in the Windows login screen 2. Select "Hilfe" -> "Logbuch" -> "Öffne Datei" 3. Browse to C:\Windows\System32\ 4. Right-click cmd.exe -> Öffnen 5. #whoami: NT AUTHORITY\SYSTEM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install a newer software version with the implemented security fixes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-11-26: Vulnerability discovered 2018-12-03: Vulnerability reported to manufacturer 2018-12-07: Patch released by manufacturer 2020-03-25: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for NCP Secure Enterprise Client https://www.ncp-e.com/en/products/centrally-managed-vpn-solution/managed-clients/ [2] SySS Security Advisory SYSS-2018-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-039.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Philipp Buchegger of SySS GmbH. E-Mail: philipp.buchegger@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc Key ID: 0x065809F0BB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en