[NEWS] Cisco VPN 3000 Concentrator Multiple Vulnerabilities

From: support@securiteam.com
Date: 09/05/02


From: support@securiteam.com
To: list@securiteam.com
Date: Thu,  5 Sep 2002 16:22:46 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco VPN 3000 Concentrator Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

The Cisco VPN 3000 series concentrators are a family of purpose-built,
remote access Virtual Private Network (VPN) platforms for data encryption
and authentication.

This advisory documents multiple vulnerabilities for the Cisco VPN 3000
series concentrators and Cisco VPN 3002 Hardware Client. These
vulnerabilities are documented as Cisco bug ID's CSCdt56514, CSCdu15622,
CSCdu35577, CSCdu82823, CSCdv66718, CSCdv88230, CSCdw22408, CSCdw50657,
CSCdx07754, CSCdx24622, CSCdx24632, CSCdx39981, CSCdx54675 and CSCdy38035.
Upgrading to the latest version of code for the Cisco VPN 3000 series
concentrators and Cisco VPN 3002 Hardware Client, version 3.5.5 or 3.6.1,
would protect against all of these documented vulnerabilities.

DETAILS

Affected Products:
The Cisco VPN 3000 series concentrators are affected by these
vulnerabilities. This series includes models 3005, 3015, 3030, 3060, 3080
and the Cisco VPN 3002 Hardware Client.

DDTS - Description:
CSCdt56514 - PPTP, IPSEC internal authentication login vulnerability
3.6(Rel)

Affected Releases:
 * 3.5(Rel) to 3.5.4
 * earlier than 3.1.2
 * earlier than 3.0.3(B)
 * 2.x.x
 
DDTS - Description:
CSCdu15622 - HTML parser processing vulnerability earlier than 3.0.3(B)

Affected Releases:
 * 2.x.x
 
DDTS - Description:
CSCdu35577 - Concentrator gives out too much information in application
layer banners earlier than
Affected Releases:
 * 3.5.4
 * 3.1.x
 * 3.0.x
 * 2.x.x
 
DDTS - Description:
CSCdu82823 - BSD sourced telnetd vulnerability earlier than 3.0.4

Affected Releases:
2.x.x
 
DDTS - Description:
CSCdv66718 - Windows PPTP client vulnerability

Affected Releases:
earlier than 2.5.2(F)

DDTS - Description:
CSCdv88230, CSCdw22408 - User passwords visible with HTML view source
vulnerability

Affected Releases:
earlier than 3.5.1
earlier than 3.1.4
3.0.x
2.x.x
 
DDTS - Description:
CSCdw50657 - Certificate passwords visible with HTML view source
vulnerability

Affected Releases:
earlier than 3.5.2
3.1.x
3.0.x
2.x.x
 
DDTS - Description:
CSCdx07754 - XML public rule vulnerability

Affected Releases:
earlier than 3.5.3
3.1.x
3.0.x
2.x.x
 
DDTS - Description:
CSCdx24622 - HTML pages access vulnerability

Affected Releases:
earlier than 3.5.3
3.1.x
3.0.x
2.x.x
 
DDTS - Description:
CSCdx24632 - HTML login processing vulnerability

Affected Releases:
earlier than 3.5.3
3.1.x
3.0.x
2.x.x
 
DDTS - Description:
CSCdx39981 - VPN client authentication vulnerability

Affected Releases:
3.6(Rel)
earlier than 3.5.5
3.1.x
3.0.x
2.x.x
 
DDTS - Description:
CSCdx54675 - LAN-to-LAN IPSEC tunnel vulnerability

Affected Releases:
earlier than 3.5.4
3.1.x
3.0.x
2.x.x

DDTS - Description:
CSCdy38035 - ISAKMP packet processing vulnerability

Affected Releases:
3.6(Rel)
earlier than 3.5.5
3.1.x
3.0.x
2.x.x
 
These vulnerabilities do not affect the VPN Client software or the Cisco
VPN 5000 series concentrators. No other Cisco product is known to be
affected by these vulnerabilities.

To determine if a Cisco VPN 3000 series concentrator is running affected
software, check the software revision via the web interface or the console
menu.

Details:
DDTS:
CSCdt56514 - PPTP, IPSEC internal authentication login vulnerability

Description Details:
If a Cisco VPN 3000 series concentrator is set up for internal
authentication with only group accounts configured and no user accounts
configured, then a VPN client logging in using PPTP or IPSEC user
authentication succeeds by using a group name/password as login
credentials.

For VPN client connections using IPSEC user authentication, the Cisco VPN
series concentrator will not allow the VPN client to use the same group
name/password as what is configured in the VPN client's connection
properties, but if another group account exists on the concentrator, then
using its group name/password the VPN client can authenticate to the VPN
concentrator.
The Cisco VPN 3002 Hardware Client does not support PPTP or incoming
connections and therefore is not vulnerable to this problem.

DDTS:
CSCdu15622 - HTML parser processing vulnerability

Description Details:
Very long URL requests to the HTML interface cause the VPN 3000 series
concentrator to stop responding. The CPU on the Cisco VPN concentrator
jumps to 100%. The IP stack of the VPN concentrator stops responding.
The VPN concentrator recovers approximately five minutes after the DoS
attack is stopped.

DDTS:
CSCdu35577 - Concentrator gives out too much information in application
layer banners

Description Details:
The Cisco VPN 3000 series concentrators give out too much information in
application layer banners. The SSH banner gives out information about the
device apart from the SSH version numbers. The FTP banner gives
information about the device and the local time. An incorrect HTTP page
request gives out information about the device, the name of the person who
compiled the software and the time of compilation.

DDTS:
CSCdu82823 - BSD sourced telnetd vulnerability

Description Details:
Cisco VPN 3000 series concentrators run telnetd daemon code derived from
the BSD source and are vulnerable to a buffer overflow in the telnet
option handling, which can cause the telnet daemon to crash and result in
a VPN concentrator reload. This vulnerability is also documented as CERT
Advisory CA-2001-21.
Telnet is not permitted on the public interface of the VPN concentrator in
the default configuration and is never permitted on the public interface
of the VPN 3002 Hardware Client.

DDTS:
CSCdv66718 - Windows PPTP client vulnerability

Description Details:
Windows native PPTP clients connecting with the No Encryption option set
can cause the Cisco VPN 3000 series concentrator, with encryption set, to
reload.

DDTS:
CSCdv88230, CSCdw22408 - User passwords visible with HTML view source
vulnerability

Description Details:
On password containing HTML pages for the Cisco VPN 3000 series
concentrator it is possible for restricted access administrative users to
observe the password in clear text upon viewing the source of the web page
without having the appropriate level of administrative access.

DDTS:
CSCdw50657 - Certificate passwords visible with HTML view source
vulnerability

Description Details:
On the Certificate Management HTML pages for the Cisco VPN 3000 series
concentrator it is possible for administrative users to observe the
unencrypted certificate password in clear text upon viewing the source of
the web page.

DDTS:
CSCdx07754 - XML public rule vulnerability

Description Details:
When a Cisco VPN 3000 series concentrator has the XML filter configuration
enabled on its public interface, the configuration adds the rule "HTTPS on
Public Inbound (XML-Auto)(forward/in)" to the public filter and sets the
value for the protocol incorrectly to "ANY" and the value for the
destination port to "443". The VPN concentrator checks the destination
port field value only when the protocol is set to TCP or UDP. So enabling
this filter configuration effectively allows any protocol on any port
through the VPN Concentrator.

DDTS:
CSCdx24622 - HTML pages access vulnerability

Description Details:
Users can access a few Cisco VPN 3000 series concentrator HTML pages
containing limited information without proper authentication.

DDTS:
CSCdx24632 - HTML login processing vulnerability

Description Details:
It is possible to cause the Cisco VPN 3000 series concentrator to reload
by modifying an HTML file and posting very large strings as the
username/password while accessing the HTML interface on the VPN
concentrator.

DDTS:
CSCdx39981 - VPN client authentication vulnerability

Description Details:
When using a VPN client it is possible to cause the Cisco VPN 3000 series
concentrator to reload by responding with a very large string for the
username prompt.

DDTS:
CSCdx54675 - LAN-to-LAN IPSEC tunnel vulnerability

Description Details:
The Cisco VPN 3000 series concentrator does not drop an incoming
LAN-to-LAN connection even when it already has a security association for
the same remote network with another device. Instead, it disconnects the
previously established connection and establishes a connection with the
new device. The VPN concentrator also does not verify if the data coming
across a LAN-to-LAN connection is being sourced from the correct network.

DDTS:
CSCdy38035 - ISAKMP packet processing vulnerability

Description Details:
Malformed or very large ISAKMP packets can cause the device to reload in
four instances:
 * Upon receipt of a malformed ISAKMP packet
 * Upon having debug turned on during the receipt of various malformed
packets
 * Upon receiving a very large number of payloads in an ISAKMP packet
 * Upon having debug turned on while receiving large ISAKMP packets.
 
These vulnerabilities are documented as Cisco bug ID's CSCdt56514,
CSCdu15622, CSCdu35577, CSCdu82823, CSCdv66718, CSCdv88230, CSCdw22408,
CSCdw50657, CSCdx07754, CSCdx24622, CSCdx24632, CSCdx39981, CSCdx54675 and
CSCdy38035, which require a CCO account to view and can be viewed after
2002 September 4 at 1500 UTC.

Impact:
DDTS:
CSCdt56514 - PPTP, IPSEC internal authentication login vulnerability

Description Impact:
Unintended access to the network serviced by the VPN 3000 series
concentrator.

DDTS:
CSCdu15622 - HTML parser processing vulnerability

Description Impact:
This vulnerability can be exploited to initiate a DOS attack.

DDTS:
CSCdu35577 - Concentrator gives out too much information in application
layer banners

Description Impact:
The extra information given out could help an attacker plan his attacks.

DDTS:
CSCdu82823 - BSD sourced telnetd vulnerability

Description Impact:
This vulnerability can be exploited to initiate a DOS attack.

DDTS:
CSCdv66718 - Windows PPTP client vulnerability

Description Impact:
This vulnerability can be exploited to initiate a DOS attack.

DDTS:
CSCdv88230, CSCdw22408 - User passwords visible with HTML view source
vulnerability

Description Impact:
Unintended disclosure of passwords on non-administrative user accessed
HTML pages.

DDTS:
CSCdw50657 - Certificate passwords visible with HTML view source
vulnerability

Description Impact:
Unintended disclosure of passwords on an administrative user accessed HTML
page.

DDTS:
CSCdx07754 - XML public rule vulnerability

Description Impact:
Unintended access to the network serviced by the Cisco VPN 3000 series
concentrator.

DDTS:
CSCdx24622 - HTML pages access vulnerability

Description Impact:
Unintended access to generic content on a few HTML pages.

DDTS:
CSCdx24632 - HTML login processing vulnerability

Description Impact:
This vulnerability can be exploited to initiate a DOS attack.

DDTS:
CSCdx39981 - VPN client authentication vulnerability

Description Impact:
This vulnerability can be exploited to initiate a DOS attack.

DDTS:
CSCdx54675 - LAN-to-LAN IPSEC tunnel vulnerability

Description Impact:
This vulnerability can be exploited to initiate a DOS attack.

DDTS:
CSCdy38035 - ISAKMP packet processing vulnerability

Description Impact:
These vulnerabilities can be exploited to initiate DOS attacks.

Software Versions and Fixes:
A table listing all available versions and their fixes is viewable by
going to:
 
<http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml#Software> http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml#Software

Obtaining Fixed Software:
Cisco is offering free software upgrades to address these vulnerabilities
for all affected customers. Customers may only install and expect support
for the feature sets they have purchased.

Customers with service contracts should contact their regular update
channels to obtain the free software upgrade identified via this advisory.
For most customers with service contracts, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com/kobayashi/sw-center/vpn/3000/ . To access this link
you must be a registered user and you must be logged in.

Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
upgrade(s).

Customers who purchased directly from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third party vendors
but are unsuccessful at obtaining fixed software through their point of
sale, should obtain fixed software by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain an upgrade to a later
version of the same release or as indicated by the applicable corrected
software version in the Software Versions and Fixes section (noted above).

Cisco TAC contacts are as follows:
 * +1 800 553 2447 (toll free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml>
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and
instructions and e-mail addresses for use in various languages.

Please have your product serial number available and give the URL of this
advisory as evidence of your entitlement to a free upgrade.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
DDTS:
CSCdt56514 - PPTP, IPSEC internal authentication login vulnerability

Description Workarounds / Mitigation techniques:
If possible use external authentication like TACACS+ or RADIUS.

DDTS:
CSCdu15622 - HTML parser processing vulnerability

Description Workarounds / Mitigation techniques:
Restrict access to the HTML interface such that connections are permitted
only from trusted sources.

DDTS:
CSCdu35577 - Concentrator gives out too much information in application
layer banners

Description Workarounds / Mitigation techniques:
There is no workaround.

DDTS:
CSCdu82823 - BSD sourced telnetd vulnerability

Description Workarounds / Mitigation techniques:
Restrict access to the telnet interface such that connections are
permitted only from trusted sources.

DDTS:
CSCdv66718 - Windows PPTP client vulnerability

Description Workarounds / Mitigation techniques:
If possible configure the VPN 3000 series concentrator for IPSEC support
only.

DDTS:
CSCdv88230, CSCdw22408 - User passwords visible with HTML view source
vulnerability

Description Workarounds / Mitigation techniques:
Restrict access to the HTML interface such that connections are permitted
only from trusted sources.

DDTS:
CSCdw50657 - Certificate passwords visible with HTML view source
vulnerability

Description Workarounds / Mitigation techniques:
Restrict access to the HTML interface such that connections are permitted
only from trusted sources.

DDTS:
CSCdx07754 - XML public rule vulnerability

Description Workarounds / Mitigation techniques:
Remove any XML filter on the public interface.

DDTS:
CSCdx24622 - HTML pages access vulnerability

Description Workarounds / Mitigation techniques:
Restrict access to the HTML interface such that connections are permitted
only from trusted sources.

DDTS:
CSCdx24632 - HTML login processing vulnerability

Description Workarounds / Mitigation techniques:
Restrict access to the HTML interface such that connections are permitted
only from trusted sources.

DDTS:
CSCdx39981 - VPN client authentication vulnerability

Description Workarounds / Mitigation techniques:
There is no workaround.

DDTS:
CSCdx54675 - LAN-to-LAN IPSEC tunnel vulnerability

Description Workarounds / Mitigation techniques:
There is no workaround.

DDTS:
CSCdy38035 - ISAKMP packet processing vulnerability

Description Workarounds / Mitigation techniques:
There is no workaround.

The Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages