Cisco VPN 3000 crafted HTTP attack

Published: 2006-02-01
Last Updated: 2006-02-06 18:37:18 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
The Cisco advisory is located at:

Apparently version 4.7.2(C) resolves this issue.
The workaround is to disable HTTP.

This remote exploit involves sending a small stream (less than 50 packets) of tcp/80 traffic to a Cisco VPN 3000 Concentrator appliance running the WebVPN service. After this occurs, all sessions currently accessing the appliance are dropped, and no further communication is possible until the system is powered down and restarted. No authentication or credentials are required to exercise this vulnerability.

By default, the WebVPN Service permits both tcp/80 (HTTP) and tcp/443 (HTTPS) inbound; the appliance performs a redirect from the HTTP query to the HTTPS. The vulnerability exists within the code base responsible for the redirect.


Update (06 Feb 2006)
At present, we recommend that all users of firmware that uses Cisco's WebVPN upgrade to the newest version (currently 4.7.2D) AND disable inbound tcp/80 access as a fix for this exploit.
Thanks Eldon!
0 comment(s)


Diary Archives