Cisco Warns of Flaws in VPN 3000 Series
The effects of the vulnerabilities range from denials of service to password disclosure to illicit network access. All of the 3000 series concentrators and the Cisco VPN 3002 Hardware Client are affected by the flaws.
The most serious problem enables some restricted-access administrative users to see the administrative password by viewing the source code of HTML pages containing the password. A separate vulnerability enables administrators to see the unencrypted certificate password for the concentrator by viewing the HTML source code.
There is also a flaw that effectively allows any protocol traffic to access any port on the concentrator. When an administrator enables the XML filter configuration, the concentrator automatically adds a rule to the public filter that requires HTTPS for public inbound traffic. The rule mistakenly sets the protocol value to "any" and the value for the destination port to 443.
However, the concentrator only checks the destination port field when the protocol value is set to TCP or UDP. Consequently, any protocol can access any port on the vulnerable concentrator with this rule in place.
There are several vulnerabilities that result in a DoS condition on vulnerable machines, as well as a flaw that discloses too much information in the application-level banners. For example, the SSH banner gives out data on the machine in addition to the version number of SSH running on the device.
The advisory, which contains detailed information on affected hardware and upgrading to fixed software versions, is available here.
Cisco, of San Jose, Calif., recommends that customers upgrade to Version 3.5.5 of the code for the 3000 series concentrators.