Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Cisco VPN 3000 crafted HTTP attack InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco VPN 3000 crafted HTTP attack

Published: 2006-02-01
Last Updated: 2006-02-06 18:37:18 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
The Cisco advisory is located at:
 http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_advisory09186a00805f0147.shtml

Apparently version 4.7.2(C) resolves this issue.
The workaround is to disable HTTP.

This remote exploit involves sending a small stream (less than 50 packets) of tcp/80 traffic to a Cisco VPN 3000 Concentrator appliance running the WebVPN service. After this occurs, all sessions currently accessing the appliance are dropped, and no further communication is possible until the system is powered down and restarted. No authentication or credentials are required to exercise this vulnerability.

By default, the WebVPN Service permits both tcp/80 (HTTP) and tcp/443 (HTTPS) inbound; the appliance performs a redirect from the HTTP query to the HTTPS. The vulnerability exists within the code base responsible for the redirect.

From: http://www.esentire.com/news/vuln-cisco-vpn.html

Update (06 Feb 2006)
At present, we recommend that all users of firmware that uses Cisco's WebVPN upgrade to the newest version (currently 4.7.2D) AND disable inbound tcp/80 access as a fix for this exploit.
Thanks Eldon!
 
Cheers,
Adrien
 
Keywords:
0 comment(s)
Diary Archives