-
This advisory documents vulnerabilities for the Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client. These vulnerabilities are documented as Cisco bug ID CSCea77143 (IPSec over TCP), CSCdz15393 (SSH), and CSCdt84906 (ICMP). There are workarounds available to mitigate the effects of these vulnerabilities. Upgrading to the latest version of code for the Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client, version 4.0.1 and 3.6.7F, would protect against all of these documented vulnerabilities.
This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030507-vpn3k.
-
This section provides details on affected products.
Vulnerable Products
The Cisco VPN 3000 series concentrators are affected by these vulnerabilities. This series includes models 3005, 3015, 3030, 3060, 3080 and the Cisco VPN 3002 Hardware Client.
DDTS - Description
Affected Releases
CSCea77143 - enabling IPSec over TCP vulnerability
-
4.0.REL
-
3.6.REL through 3.6.7E
-
3.5.x
-
3.1.x, 3.0.x and 2.x.x are NOT
affected.
CSCdz15393 - malformed SSH initialization packet vulnerability
-
3.6.REL through 3.6.6
-
3.5.x
-
3.1.x
-
3.0.x
-
2.x.x
CSCdt84906 - malformed ICMP traffic vulnerability
-
3.6.REL through 3.6.7
-
3.5.x
-
3.1.x
-
3.0.x
-
2.x.x
To determine if a Cisco VPN 3000 series concentrator is running affected software, check the software revision via the web interface or the console menu.
Products Confirmed Not Vulnerable
These vulnerabilities do not affect the VPN Client software nor the Cisco VPN 5000 series concentrators. No other Cisco products are currently known to be affected by these vulnerabilities.
-
4.0.REL
-
This table provides details about these vulnerability.
DDTS - Description
Details
CSCea77143 - enabling IPSec over TCP vulnerability
Enabling IPSec over TCP for a port on the VPN 3000 series concentrator allows TCP traffic on that port to traverse through the concentrator and reach the private network.
For example, if one configures IPSec over TCP to use port 80 and the private network is routable to from the public network i.e. a workstation on the public network has the VPN 3000 series concentrator configured as the gateway for the private network IP address space, one can browse the web servers on the private network configured to serve port 80 from the workstation on the public network without any form of authentication. Another example, if IPSec over TCP was not configured for port 80 but was configured for its default port of 10000 and if there was a server listening for telnet connections on port 10000 on the private network, then one could telnet to that server from the workstation on the public network.
For more information on IPSec over TCP please refer to the documentation available at /en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce2c.html#1279809
CSCdz15393 - malformed SSH initialization packet vulnerability
A malformed SSH initialization packet sent during the initial SSH session setup may reload the VPN 3000 series concentrator.
CSCdt84906 - malformed ICMP traffic vulnerability
A flood of malformed ICMP packets could result in performance degradation on the VPN 3000 series concentrator and may even cause the concentrator to reload.
These vulnerabilities are documented in the Cisco Bug Toolkit ( registered customers only) as Bug IDs CSCea77143, CSCdz15393, and CSCdt84906, and can be viewed after 2003 May 8 at 1600 UTC. To access this tool, you must be a registered user and you must be logged in.
The Inter networking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
-
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
DDTS - Description
Workaround
CSCea77143 - enabling IPSec over TCP vulnerability
Add rules, to the filter for the private interface, that restrict outgoing traffic on ports configured for use by IPSec over TCP on the VPN concentrator. This would not stop the traffic from the public network reaching the VPN 3000 concentrator itself but would prevent the traffic from reaching the servers on the private network.
CSCdz15393 - malformed SSH initialization packet vulnerability
Restrict access to the SSH server on the VPN 3000 series concentrator by applying appropriate rules to the filters for the interfaces such that connections are permitted only from trusted client hosts.
CSCdt84906 - malformed ICMP traffic vulnerability
Only allow legitimate ICMP traffic to reach the VPN 3000 series concentrator's interface.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
DDTS - Description
Fixed Releases
CSCea77143 - enabling IPSec over TCP vulnerability
-
4.0.1 and later
-
3.6.7F and later
-
3.1.x, 3.0.x and 2.x.x are NOT
affected
CSCdz15393 - malformed SSH initialization packet vulnerability
-
4.0.REL and later
-
3.6.7 and later
CSCdt84906 - malformed ICMP traffic vulnerability
-
4.0.REL and later
-
3.6.7A and later
The procedure to upgrade to the fixed software version is detailed at http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/.
-
4.0.1 and later
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to PSIRT by internal development testing.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2003-May-7
Initial public release.
Revision 1.1
2003-May-7
Corrected the Affected Products table.
Revision 1.2
2003-May-8
Corrected the link in the Obtaining Fixed Software section.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.