• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Cisco VPN 3000 Vulnerabilities

Severity: CRITICAL

Description:

Cisco has reported a number of vulnerabilities in the VPN 3000 series concentrators. These issues affect models 3005, 3015, 3030, 3060, 3080 and the Cisco VPN 3002 Hardware Client.

The first issue affects PPTP and IPSEC internal authentication. It is possible for a user to login to the VPN from the external network using group authentication credentials designed for the internal network. This can occur when the concentrator is configured for group accounts but no user accounts have been created. This may allow a malicious user to violate the security policy. The Cisco VPN 3002 Hardware Client is not affected by this issue.

The second issue is a denial of service condition in the HTML interface of the concentrators. An overly long request may cause the IP stack of the device to stop responding, due to resource exhaustion. The device is said to recover approximately 5 minutes after the overly long request is processed.

The third issue is an information disclosure problem with the affected devices. Sensitive information is disclosed in the SSH and FTP banners. HTTP error pages also give out sensitive information about the device. An attacker may use this sensitive information to assist in mounting further attacks against the device.

The fourth issue is a buffer overflow in the telnet daemon included with the device. It is reported that this may be exploited to cause a denial of service. It should be noted that the telnetd interface is not enabled by default in the affected concentrators, nor can it be enabled on Cisco VPN 3002 Hardware Client.

The fifth issue could result in a denial of service attack against a vulnerable device. A native Microsoft Windows PPTP client connecting with the "No Encryption" option set cause result in a VPN 3000 series concentrator arbitrarily reloading. This could result in a denial of service.

The sixth issue has the potential to disclose user credentials to remote attackers. Any administrative HTML pages which contain user credentials will disclose the plaintext password in the page source code. This may allow restricted access administrative users to gain access to the credentials.

The seventh issue also has the potential to disclose sensitive authentication credentials. Certificate credentials are contained in plaintext in the source code of Certificate Management HTML pages and will be viewable by administrative users.

The eighth issue may potentially allow traffic for any protocol to be sent across an arbitrary port on the concentrator. This issue occurs when the XML filter is enabled on the public interface, causing a misconfigured rule to be added to the device.

The ninth issue is that users may access a limited number of HTML pages for the device without authentication being required. This has the potential to disclose some amount of sensitive information.

The tenth issue is a denial of service condition related to handling of overly long username and password strings submitted via a modified HTML page. If the attacker posts overly long values for these strings, the device will reportedly reload.

The eleventh issue is also a denial of service condition related to the handling of an overly long username string. The malformed string may be submitted with a VPN client and may cause the device to reload when it is processed.

The twelfth issue is a failure to drop a new incoming LAN-to-LAN connection in circumstances when the connection already has a security association with the same remote network on another device. The previous connection will be dropped and a connection will be made with the new, possibly untrusted device on the remote network. This may potentially allow unauthorized access by untrusted devices on a supposedly trusted network. The device also reportedly does not verify the data coming across the connection to determine if it is coming from the correct network.

The final issue is a denial of service condition which may be caused by malformed ISAKMP packets. Various types of malformed packets may cause the device to reload, under different settings.

** These issues will be divided seperated into individual Bugtraq IDs when further analysis is completed. A new alert with more detailed information will be sent out for each individual record.

Affected Products:

• Cisco VPN 3000 Concentrator 2.5.2(A)
• Cisco VPN 3000 Concentrator 2.5.2(B)
• Cisco VPN 3000 Concentrator 2.5.2(C)
• Cisco VPN 3000 Concentrator 2.5.2(D)
• Cisco VPN 3000 Concentrator 2.5.2(F)
• Cisco VPN 3000 Concentrator 3.0.3(A)
• Cisco VPN 3000 Concentrator 3.1.1
• Cisco VPN 3000 Concentrator 3.5.0(Rel)
• Cisco VPN 3000 Concentrator 3.5.3
• Cisco VPN 3000 Concentrator 3.5.4
• Cisco VPN 3000 Concentrator 3.6.0
• Cisco VPN 3002 Hardware Client 0.0.0

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.