From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 31 Mar 2005 18:06:48 +0200
Subject: [NEWS] Cisco VPN 3000 Concentrator SSL DoS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050403101328.43C7057F4@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco VPN 3000 Concentrator SSL DoS
------------------------------------------------------------------------
SUMMARY
The Cisco VPN 3000 series concentrators are a family of purpose-built,
remote access Virtual Private Network (VPN) platforms for data encryption
and authentication.
A malicious user may be able to send a crafted attack via SSL (Secure
Sockets Layer) to Cisco's VPN concentrators leading it to reload, and/or
drop user connections.
DETAILS
Vulnerable Systems:
* Cisco VPN series that includes the models 3005, 3015, 3020, 3030, 3060,
3080 and the Cisco VPN 3002 Hardware Client.
Secure Sockets Layer (SSL) is a protocol used to encrypt the data
transferred over a TCP session. SSL in Cisco products is mainly used by
the HyperText Transfer Protocol Secure (HTTPS) web service for which the
default TCP port is 443. Due to this vulnerability, a malicious user may
send crafted HTTPS packets which may result in a reload of the affected
device or and/or user connections being dropped.
The affected products are only vulnerable if they have the HTTPS service
enabled and the access to the service is not limited to trusted hosts or
network management workstations. By default, HTTPS is not enabled on VPN
3000 devices, and must be manually enabled. Affected devices are not
vulnerable to transit traffic, only traffic that is destined to them may
exploit this vulnerability.
To check if the HTTPS service is enabled, one can do the following:
1. Check the configuration on the device to verify the status of the HTTPS
service.
2. Try to connect to the device using a standard web browser that supports
SSL
using a URL similar to https://ip_address_of_device/.
No authentication is required to exploit this vulnerability.
Successful exploitation of this vulnerability may result in a reload of
the affected device or and/or user connections being dropped. Repeated
exploitation of this vulnerability could result in a sustained Denial of
Service.
Vendor Status:
Cisco VPN 3000 series users can upgrade to version 4.1.7.B or later
software to resolve this vulnerability.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20050330-vpn3k.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20050330-vpn3k.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
