Cisco Warns of Flaws in VPN 3000 Series | eWeek

Cisco Warns of Flaws in VPN 3000 Series

Écrit par
Dennis Fisher
Dennis Fisher
Sep 3, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Cisco Systems Inc. on Tuesday released a bulletin detailing more than a dozen security vulnerabilities in its popular 3000 series of VPN concentrators.

The effects of the vulnerabilities range from denials of service to password disclosure to illicit network access. All of the 3000 series concentrators and the Cisco VPN 3002 Hardware Client are affected by the flaws.

The most serious problem enables some restricted-access administrative users to see the administrative password by viewing the source code of HTML pages containing the password. A separate vulnerability enables administrators to see the unencrypted certificate password for the concentrator by viewing the HTML source code.

There is also a flaw that effectively allows any protocol traffic to access any port on the concentrator. When an administrator enables the XML filter configuration, the concentrator automatically adds a rule to the public filter that requires HTTPS for public inbound traffic. The rule mistakenly sets the protocol value to “any” and the value for the destination port to 443.

However, the concentrator only checks the destination port field when the protocol value is set to TCP or UDP. Consequently, any protocol can access any port on the vulnerable concentrator with this rule in place.

There are several vulnerabilities that result in a DoS condition on vulnerable machines, as well as a flaw that discloses too much information in the application-level banners. For example, the SSH banner gives out data on the machine in addition to the version number of SSH running on the device.

The advisory, which contains detailed information on affected hardware and upgrading to fixed software versions, is available here.

Cisco, of San Jose, Calif., recommends that customers upgrade to Version 3.5.5 of the code for the 3000 series concentrators.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.