When a user establishes a VPN session upon successful peer and user
authentication, the PIX creates an ISAKMP SA associating the user and his IP
If an attacker is now able to block the logged-in user's connection and
establish a connection to the PIX using the same IP address as that of the
user, he will be able to establish a VPN session with the PIX, using only peer
authentication, provided he already has access to the peer authentication key
also known as the group pre-shared key (PSK) or group password key.
A user starting a connection via FTP, Telnet, or over the World Wide
Web (HTTP) is prompted for their user name and password. If the user name and
password are verified by the designated TACACS+ or RADIUS authentication
server, the PIX Firewall unit will allow further traffic between the
authentication server and the connection to interact independently through the
PIX Firewall unit's "cut-through proxy" feature.
The PIX may crash and reload due to a buffer overflow vulnerability
while processing HTTP traffic requests for authentication using TACACS+ or
The Internetworking Terms and Acronyms online guide can be found at
The Cisco Systems Terms and Acronyms online guide can be found at
These vulnerabilities are documented in the
Toolkit as Bug IDs CSCdv83490 and CSCdx35823, and can be viewed after
2002 November 21 at 1600 UTC. To access this tool, you must be a
user and you must be logged in.