CVE-2017-17023:NCP Secure Entry Client (rebranded as Sophos IPSec Client) contains an insufficient verification of data authenticity vulnerability in its software update feature, allowing MITM attackers to execute arbitrary code.

splash
Back

Description Preview

The Sophos UTM VPN endpoint interacts with client software provided by NCP Engineering. The affected client software, "Sophos IPSec Client" 11.04 (a rebranded version of NCP "Secure Entry Client" 10.11 r32792), contains a critical vulnerability in its software update mechanism. The vulnerability allows a man-in-the-middle (MITM) or man-on-the-side (MOTS) attacker to execute arbitrary, malicious software on a target user's computer. The issue affects SIC_V11.04-64.exe (Sophos), NCP_EntryCl_Windows_x86_1004_31799.exe (NCP), and ncpmon.exe (both Sophos and NCP). The vulnerability stems from two critical security flaws: (1) the VPN client requests update metadata over an insecure HTTP connection, and (2) the client software fails to verify digital signatures of software updates before execution.

Overview

This vulnerability (CVE-2017-17023) is classified as CWE-345: Insufficient Verification of Data Authenticity. The issue affects the update mechanism in NCP Secure Entry Client 10.11 r32792 and its rebranded version, Sophos IPSec Client 11.04. When the client checks for updates, it uses unencrypted HTTP connections to retrieve update metadata, making it susceptible to interception. Furthermore, the client fails to validate whether the downloaded updates are properly signed before executing them. This combination allows attackers positioned between the client and update servers to inject malicious code that will be automatically executed with the same privileges as the VPN client, which typically runs with elevated permissions. Since VPN clients are often used to secure connections in untrusted networks, this vulnerability is particularly concerning as these are precisely the environments where MITM attacks are most feasible.

Remediation

Users should immediately update to NCP Secure Entry Client version 11.14 r42039 or later, which addresses this vulnerability. Sophos users should update to the corresponding patched version provided by Sophos. Until updates can be applied, organizations should consider the following mitigations:

  1. Disable automatic updates in the VPN client and manually update the software from trusted sources
  2. Implement network-level protections to prevent MITM attacks when possible
  3. Avoid using the vulnerable VPN client on untrusted networks
  4. Consider implementing application control policies to prevent the vulnerable components from connecting to the internet directly

References

  1. NCP Engineering VPN Client Download Page: https://www.ncp-e.com/en/resources/download-vpn-client/#c8680
  2. NCP Secure Entry Client Release Notes (Fixed Version): https://www.ncp-e.com/fileadmin/pdf/service_support/release_notes/NCP_Secure_Clients/NCP_Secure_Entry_Client/NCP_RN_Win_Secure_Entry_Client_11_14_r42039_en.pdf
  3. CWE-345: Insufficient Verification of Data Authenticity: https://cwe.mitre.org/data/definitions/345.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background