This advisory documents vulnerabilities for the Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client. These vulnerabilities are documented as Cisco bug ID CSCea77143 (IPSec over TCP), CSCdz15393 (SSH), and CSCdt84906 (ICMP). There are workarounds available to mitigate the effects of these vulnerabilities. Upgrading to the latest version of code for the Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client, version 4.0.1 and 3.6.7F, would protect against all of these documented vulnerabilities. This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030507-vpn3k.
This advisory documents vulnerabilities for the Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client. These vulnerabilities are documented as Cisco bug ID CSCea77143 (IPSec over TCP), CSCdz15393 (SSH), and CSCdt84906 (ICMP). There are workarounds available to mitigate the effects of these vulnerabilities. Upgrading to the latest version of code for the Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client, version 4.0.1 and 3.6.7F, would protect against all of these documented vulnerabilities.
This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030507-vpn3k.
This section provides details on affected products.
The Cisco VPN 3000 series concentrators are affected by these vulnerabilities. This series includes models 3005, 3015, 3030, 3060, 3080 and the Cisco VPN 3002 Hardware Client.
DDTS - Description |
Affected Releases |
---|---|
CSCea77143 - enabling IPSec over TCP vulnerability |
|
CSCdz15393 - malformed SSH initialization packet vulnerability |
|
CSCdt84906 - malformed ICMP traffic vulnerability |
|
To determine if a Cisco VPN 3000 series concentrator is running affected software, check the software revision via the web interface or the console menu.
These vulnerabilities do not affect the VPN Client software nor the Cisco VPN 5000 series concentrators. No other Cisco products are currently known to be affected by these vulnerabilities.
This table provides details about these vulnerability.
DDTS - Description |
Details |
---|---|
CSCea77143 - enabling IPSec over TCP vulnerability |
Enabling IPSec over TCP for a port on the VPN 3000 series concentrator allows TCP traffic on that port to traverse through the concentrator and reach the private network. For example, if one configures IPSec over TCP to use port 80 and the private network is routable to from the public network i.e. a workstation on the public network has the VPN 3000 series concentrator configured as the gateway for the private network IP address space, one can browse the web servers on the private network configured to serve port 80 from the workstation on the public network without any form of authentication. Another example, if IPSec over TCP was not configured for port 80 but was configured for its default port of 10000 and if there was a server listening for telnet connections on port 10000 on the private network, then one could telnet to that server from the workstation on the public network. For more information on IPSec over TCP please refer to the documentation available at /en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce2c.html#1279809 |
CSCdz15393 - malformed SSH initialization packet vulnerability |
A malformed SSH initialization packet sent during the initial SSH session setup may reload the VPN 3000 series concentrator. |
CSCdt84906 - malformed ICMP traffic vulnerability |
A flood of malformed ICMP packets could result in performance degradation on the VPN 3000 series concentrator and may even cause the concentrator to reload. |
These vulnerabilities are documented in the Cisco Bug Toolkit ( registered customers only) as Bug IDs CSCea77143, CSCdz15393, and CSCdt84906, and can be viewed after 2003 May 8 at 1600 UTC. To access this tool, you must be a registered user and you must be logged in.
The Inter networking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
DDTS - Description |
Workaround |
---|---|
CSCea77143 - enabling IPSec over TCP vulnerability |
Add rules, to the filter for the private interface, that restrict outgoing traffic on ports configured for use by IPSec over TCP on the VPN concentrator. This would not stop the traffic from the public network reaching the VPN 3000 concentrator itself but would prevent the traffic from reaching the servers on the private network. |
CSCdz15393 - malformed SSH initialization packet vulnerability |
Restrict access to the SSH server on the VPN 3000 series concentrator by applying appropriate rules to the filters for the interfaces such that connections are permitted only from trusted client hosts. |
CSCdt84906 - malformed ICMP traffic vulnerability |
Only allow legitimate ICMP traffic to reach the VPN 3000 series concentrator's interface. |
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
DDTS - Description |
Fixed Releases |
---|---|
CSCea77143 - enabling IPSec over TCP vulnerability |
|
CSCdz15393 - malformed SSH initialization packet vulnerability |
|
CSCdt84906 - malformed ICMP traffic vulnerability |
|
The procedure to upgrade to the fixed software version is detailed at http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to PSIRT by internal development testing.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 |
2003-May-7 |
Initial public release. |
Revision 1.1 |
2003-May-7 |
Corrected the Affected Products table. |
Revision 1.2 |
2003-May-8 |
Corrected the link in the Obtaining Fixed Software section. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.