• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Cisco VPN 3000 Concertrator Malformed IP Packet Vulnerability

Severity: HIGH

Description:

The VPN 3000 Concentrator is a virtual private networking device distributed by Cisco Systems. The VPN 3000 Concentrator is designed to facilitate communications between two remote sites, providing the security cryptographic transit and the convience of seamless operation.

A problem with the firmware used on the device could lead to denial of service attacks. This problem affects revisions of the software previous to 2.5.2(F).

It is possible to create a state of instability in VPN 3000 Concentrators by sending custom crafted IP packets to the device. A custom IP packet containing certain options can cause the device to consume 100 percent of it's CPU. Options to IP packets are normally specified in the IP header, after the 32 bit destination address and before the data segment of the packet. After receiving the packet, the system ceases operation, and requires a power cycling to resume normal operation.

This vulnerability can only be exploited on networks local to the VPN device. Packets crossing IP Routers with the option specified do not affect the device. Additionally, the system is vulnerable from both the internal and external interface of the device.

There are no details on the options specified in the IP header that cause the system to cease functioning.

Affected Products:

• Cisco VPN 3000 Concentrator 2.5.2(A)
• Cisco VPN 3000 Concentrator 2.5.2(B)
• Cisco VPN 3000 Concentrator 2.5.2(C)
• Cisco VPN 3000 Concentrator 2.5.2(D)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.