SOL8174 - F5 VPN Client for Windows is remotely exploitable through a buffer overflow

ID SOL8174
Type f5
Reporter f5
Modified 2011-05-12T00:00:00


A vulnerability exists in the F5 VPN Client for Windows, also called the Standalone Client. The Client can be exploited remotely by a buffer overflow attack on one of the Client's ActiveX control components. A successful attack can result in execution of malicious commands by the remote attacker.

The attack is executed when a user with the Client installed on their Microsoft Windows system browses a web page with the malicious code, using Internet Explorer. The Client need not be running prior to the attack. The attack may cause the browser to crash or may execute malicious code on the user's system with the privileges associated with the user's account.

In typical configurations, Internet Explorer will display a security warning in the Information Bar when the vulnerable ActiveX control is executed, that appears similar to the following example:

To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options...

If the browser crashes, typically an error pop-up will be displayed with the following message:

Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

FireFox 2.0 and later versions in their native configurations do not permit the exploit to attack the Client's ActiveX component. Plug-ins that enable ActiveX controls may permit the exploit to function.

If the F5 VPN Client for Windows is not installed on a user's system, this vulnerability will not affect that system. The vulnerable control is not used with Network Access Favorites from the webtop.

F5 Product Development tracked this issue as CR89316 and it was fixed in FirePass version 6.0.3. For information about upgrading, refer to the FirePass release notes.

Additionally, cumulative hotfix HF-552-11 has been issued for FirePass version 5.5.2, cumulative hotfix HF-601-9 has been issued for FirePass version 6.0.1, and and cumulative hotfix HF-602-1 has been issued for FirePass version 6.0.2. You may download these hotfixes or later versions of the cumulative hotfixes from the F5 Downloads site.

For instructions about obtaining a hotfix, refer to SOL167: Downloading software from F5.

For instructions about installing a hotfix, refer to SOL3430: Installing FirePass hotfixes.


F5 would like to acknowledge Hewitt Associates for their efforts in identifying this issue.