SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#727780

Cisco VPN 3000 Concentrator may allow access to internal hosts when IPsec over TCP is enabled

Overview

A vulnerability in some Cisco Virtual Private Network (VPN) products could allow a remote attacker to access systems that should not be accessible.

I. Description

The Cisco VPN 3000 Series Concentrators and the Cisco VPN 3002 Hardware Clients are Virtual Private Network (VPN) platforms designed to provide secure remote network access. Some models of these devices contain a vulnerability by which a TCP port selected for forwarding IPsec over TCP traffic is forwarded to all systems on the protected network and not just the systems using IPsec. This may allow an attacker to access services that should not be accessible from the public network without authentication of any sort.

II. Impact

A remote attacker may be able to gain unintended access to the private network on the affected device. Attackers could leverage this access to exploit additional, unrelated vulnerabilities in services that use the same TCP port as that used to tunnel the IPsec traffic.

III. Solution

Cisco Systems Inc. has released software patches and workaround information for this vulnerability. Please see the vendor information section of this document for more details.

Workarounds

Cisco recommends adding rules to the filter for the private interface that restrict outgoing traffic on ports configured for use by IPsec over TCP on the VPN concentrator. This would not stop the traffic from the public network reaching the VPN 3000 concentrator itself but would prevent the traffic from reaching the servers on the private network.

If patches cannot be applied, sites may wish to select a less-commonly used TCP port for the IPsec tunnel to limit the services that might be available to attack over the tunnel.

Systems Affected

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Vulnerable8-May-2003

References

http://www.cisco.com/warp/public/707/cisco-sa-20030507-vpn3k.shtml
http://www.iss.net/security_center/static/11954.php

Credit

Thanks to Cisco Systems Product Security Incident Response Team for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public:2003-05-07
Date First Published:2003-06-23
Date Last Updated:2003-06-23
CERT Advisory: 
CVE-ID(s):CAN-2003-0258
NVD-ID(s):CAN-2003-0258
US-CERT Technical Alerts: 
Severity Metric:23.73
Document Revision:10

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader