CVE-2017-17023 in IPSec Client
Summary
by MITRE
The Sophos UTM VPN endpoint interacts with client software provided by NPC Engineering (www.ncp-e.com). The affected client software, "Sophos IPSec Client" 11.04 is a rebranded version of NCP "Secure Entry Client" 10.11 r32792. A vulnerability in the software update feature of the VPN client allows a man-in-the-middle (MITM) or man-on-the-side (MOTS) attacker to execute arbitrary, malicious software on a target user's computer. This is related to SIC_V11.04-64.exe (Sophos), NCP_EntryCl_Windows_x86_1004_31799.exe (NCP), and ncpmon.exe (both Sophos and NCP). The vulnerability exists because: (1) the VPN client requests update metadata over an insecure HTTP connection; and (2) the client software does not check if the software update is signed before running it.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/28/2020
The vulnerability identified as CVE-2017-17023 represents a critical security flaw in the Sophos UTM VPN endpoint's integration with NPC Engineering's client software ecosystem. This issue affects the Sophos IPSec Client version 11.04, which is essentially a rebranded version of NCP's Secure Entry Client 10.11 r32792, creating a complex attack surface that spans multiple software components including SIC_V11.04-64.exe, NCP_EntryCl_Windows_x86_1004_31799.exe, and ncpmon.exe. The vulnerability stems from fundamental security weaknesses in the software update mechanism that directly enables sophisticated attack vectors targeting enterprise and individual users.
The technical flaw manifests through two critical design failures that together create an exploitable condition for man-in-the-middle and man-on-the-side attacks. First, the VPN client software retrieves update metadata through an insecure HTTP connection rather than implementing secure HTTPS transmission, making the update process susceptible to network-based interception and manipulation. Second, and more critically, the client software lacks proper code signature verification before executing any downloaded updates, allowing malicious actors to inject arbitrary code that will run with the privileges of the target user. This dual weakness creates a pathway where attackers can seamlessly replace legitimate update files with malicious payloads without requiring any user interaction or elevated privileges beyond network access.
The operational impact of this vulnerability extends far beyond simple code execution, as it fundamentally undermines the security posture of organizations relying on Sophos UTM VPN solutions. Attackers exploiting this vulnerability can achieve persistent access to target systems, potentially escalating privileges and establishing backdoors for long-term surveillance. The vulnerability affects both enterprise environments using Sophos UTM appliances and individual users who may be unaware of the compromised client software, creating a widespread attack surface that could compromise sensitive corporate data, intellectual property, and user credentials. This represents a significant concern for organizations with remote work capabilities, as the attack vector can be executed from anywhere on the internet without requiring physical access to the target network.
Security professionals should consider this vulnerability in the context of CWE-319, which addresses the exposure of sensitive information through improper network communication, and CWE-321, which covers the use of insecure communication channels. The attack pattern aligns with ATT&CK technique T1071.004 for application layer protocol usage and T1059 for command and scripting interpreter execution. Organizations should implement immediate mitigations including network segmentation to prevent unauthorized access to update servers, deployment of network monitoring tools to detect HTTP traffic to update endpoints, and mandatory code signing enforcement for all software updates. Additionally, the affected software components should be updated to versions that implement secure HTTPS connections for update metadata retrieval and enforce digital signature verification before executing any downloaded code. The vulnerability underscores the importance of secure update mechanisms in enterprise security infrastructure and highlights the critical need for proper cryptographic practices in software distribution channels.