[ISN] Cisco Warns of Flaws in VPN 3000 Series

From: InfoSec News (isnat_private)
Date: Tue Sep 03 2002 - 23:53:36 PDT

  • Next message: InfoSec News: "[ISN] Windows flaw could be used to forge digital signatures in Outlook"

    September 3, 2002 
    By Dennis Fisher 
    Cisco Systems Inc. on Tuesday released a bulletin detailing more than
    a dozen security vulnerabilities in its popular 3000 series of VPN
    The effects of the vulnerabilities range from denials of service to
    password disclosure to illicit network access. All of the 3000 series
    concentrators and the Cisco VPN 3002 Hardware Client are affected by
    the flaws.
    The most serious problem enables some restricted-access administrative
    users to see the administrative password by viewing the source code of
    HTML pages containing the password. A separate vulnerability enables
    administrators to see the unencrypted certificate password for the
    concentrator by viewing the HTML source code.
    There is also a flaw that effectively allows any protocol traffic to
    access any port on the concentrator. When an administrator enables the
    XML filter configuration, the concentrator automatically adds a rule
    to the public filter that requires HTTPS for public inbound traffic.  
    The rule mistakenly sets the protocol value to "any" and the value for
    the destination port to 443.
    However, the concentrator only checks the destination port field when
    the protocol value is set to TCP or UDP. Consequently, any protocol
    can access any port on the vulnerable concentrator with this rule in
    There are several vulnerabilities that result in a DoS condition on
    vulnerable machines, as well as a flaw that discloses too much
    information in the application-level banners. For example, the SSH
    banner gives out data on the machine in addition to the version number
    of SSH running on the device.
    The advisory, which contains detailed information on affected hardware
    and upgrading to fixed software versions, is available here.
    Cisco, of San Jose, Calif., recommends that customers upgrade to
    Version 3.5.5 of the code for the 3000 series concentrators.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 02:07:02 PDT