Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-02-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco VPN 3000 crafted HTTP attack

Published: 2006-02-01
Last Updated: 2006-02-06 18:37:18 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
The Cisco advisory is located at:
 http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_advisory09186a00805f0147.shtml

Apparently version 4.7.2(C) resolves this issue.
The workaround is to disable HTTP.

This remote exploit involves sending a small stream (less than 50 packets) of tcp/80 traffic to a Cisco VPN 3000 Concentrator appliance running the WebVPN service. After this occurs, all sessions currently accessing the appliance are dropped, and no further communication is possible until the system is powered down and restarted. No authentication or credentials are required to exercise this vulnerability.

By default, the WebVPN Service permits both tcp/80 (HTTP) and tcp/443 (HTTPS) inbound; the appliance performs a redirect from the HTTP query to the HTTPS. The vulnerability exists within the code base responsible for the redirect.

From: http://www.esentire.com/news/vuln-cisco-vpn.html

Update (06 Feb 2006)
At present, we recommend that all users of firmware that uses Cisco's WebVPN upgrade to the newest version (currently 4.7.2D) AND disable inbound tcp/80 access as a fix for this exploit.
Thanks Eldon!
 
Cheers,
Adrien
 
Keywords:
0 comment(s)

Recommended Block List

Published: 2006-02-01
Last Updated: 2006-02-02 14:02:08 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)
Update:
Based on feedback from Intercage customers, we no longer
recommend to block them. Please let us know if you see any problems from 69.50.160.0/19 and we will try to facility contact and a resolution.

Updated Update:

Sunbelt posted this
blog documenting the issues with Intercage. As a comment: We do not say that Intercage is a safe and clean network now. However, they appear to have some valid customers. Please decide for yourself if you need the valid sites badly enough to risk exposure to the malware hosted at Intercage.




I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.

They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.

Keywords:
0 comment(s)

nmap 4.00 released

Published: 2006-02-01
Last Updated: 2006-02-01 18:44:46 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
nmap has got to be one of my favourite and oft used tools.
I am using it as I type this   :)

From nmap-hackers:
Hot on the heels of 3.9999 (you could probably guess this was
coming), I am pleased to announce that Nmap 4.00 is now available!

Documentation: http://www.insecure.org/nmap/docs.html
Download: http://www.insecure.org/nmap/download.html
Release Announcement:
http://www.insecure.org/stf/Nmap-4.00-Release.html

Cheers,
Adrien




Keywords:
0 comment(s)
Diary Archives