The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco VPN Concentrator

computer vulnerability alert CVE-2007-4414 CVE-2007-4415 CVE-2011-2678

Cisco VPN Client: privilege elevation

Synthesis of the vulnerability

A local attacker can elevate his privileges via the Cisco VPN Client.
Impacted products: Cisco VPN Concentrator, Windows (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/08/2007.
Revisions dates: 17/08/2007, 25/03/2011, 05/07/2011.
Identifiers: 91923, BID-25332, cisco-sa-20070815-vpnclient, CSCse89550, CSCsj00785, CSCtn50645, CVE-2007-4414, CVE-2007-4415, CVE-2011-2678, NGS00051, NGS00503, VIGILANCE-VUL-7096.

Description of the vulnerability

Windows version of Cisco VPN Client has two vulnerabilities.

A local attacker can enable the SBL (Start Before Logon) feature and use Microsoft Dial-Up Networking in order to execute commands with LocalSystem privileges. [severity:2/4; CSCse89550, CVE-2007-4414]

Permissions on the cvpnd.exe file permit a local attacker to replace it by a Trojan horse. This file is the Cisco VPN Service run with LocalSystem privileges. [severity:2/4; CSCsj00785, CSCtn50645, CVE-2007-4415, NGS00051, NGS00503]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-4354

Cisco ASA, PIX, VPN: enumeration of groupnames

Synthesis of the vulnerability

When a PSK authentication is used, an attacker can guess valid identifiers with a brute force attack.
Impacted products: ASA, Cisco VPN Concentrator.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 30/11/2010.
Identifiers: 112227, BID-45161, cisco-sr-20101124-vpn-grpname, CSCtj96108, CVE-2010-4354, NGS00014, VIGILANCE-VUL-10166.

Description of the vulnerability

The VPN PSK (Pre-Shared Key) authentication uses an identifier/password. The identifier is called the "groupname". The password is called the pre-shared key.

When a VPN client authenticates with a bad identifier, Cisco products do not answer. When the identifier is valid, an answer packet is sent back. An attacker can thus guess if an identifier is valid.

Impacted products are:
 - Cisco ASA 5500
 - Cisco PIX 500
 - Cisco VPN 3000 Series Concentrators

When a PSK authentication is used, an attacker can therefore guess valid identifiers with a brute force attack.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 6649

Cisco: Cross Site Scripting of online help

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting attack on Cisco products with online help activated.
Impacted products: Cisco Catalyst, CiscoWorks, Secure ACS, Cisco VPN Concentrator.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/03/2007.
Identifiers: 82421, BID-22982, cisco-sr-20070315-xss, VIGILANCE-VUL-6649.

Description of the vulnerability

Online web help can be installed on several Cisco products.

The search script (PreSearch.html or PreSearch.class) of this help does not correctly filter parameters it receives.

An attacker can therefore create a Cross Site Scripting in order to execute JavaScript code in web browser of victim.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-4313

Cisco VPN: access to some FTP commands

Synthesis of the vulnerability

Two vulnerabilities of Cisco VPN 3000 series permit an attacker to execute some FTP commands.
Impacted products: Cisco VPN Concentrator.
Severity: 2/4.
Consequences: data creation/edition, data deletion.
Provenance: internet client.
Creation date: 24/08/2006.
Revision date: 25/10/2006.
Identifiers: 71141, BID-19680, cisco-sa-20060823-vpn3k, CSCse10733, CSCse10753, CVE-2006-4313, VIGILANCE-VUL-6115.

Description of the vulnerability

The FTP protocol is activated by default to administer the Cisco VPN concentrator.

An attacker can use two vulnerabilities to execute following FTP commands:
 - CDUP, CWD: change directory
 - MKD: create a directory
 - RMD : remove a directory
 - RNFR: rename a file
 - SIZE: obtain size of a file

These vulnerabilities therefore permit an attacker, authenticated or not authenticated, to alter concentrator (by renaming a file for example), but do not permit to download or upload a configuration.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2006-3906

Cisco VPN, IOS, PIX, Catalyst: denial of service via IKE

Synthesis of the vulnerability

An attacker can send few IKE packets per second in order to saturate Cisco VPN Concentrator, IOS, Catalyst and PIX.
Impacted products: ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, Cisco VPN Concentrator.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: intranet client.
Creation date: 26/07/2006.
Revision date: 27/07/2006.
Identifiers: BID-19176, CVE-2006-3906, VIGILANCE-VUL-6037.

Description of the vulnerability

The IPSec protocol is used to create VPN. To create an IPSec tunnel, SA (Security Associations: algorithm, key size, etc.) has to be shared between both ends. The SA can be set by administrator, or automatically exchanged. In this later case, IKE protocol (Internet Key Exchange) is used. IKE is based on ISAKMP (and Oakley/Skeme). The ISAKMP protocol (Internet Security Association and Key Management Protocol) defines a generic frame (format and mechanism). ISAKMP uses two phases: setup a secure connection (phase1, main mode or aggressive mode), then this connection is used to exchange one or several SA (phase 2, quick mode). The aggressive mode uses less packets than main mode, and is therefore not recommended.

The Cisco VPN Concentrator, IOS, Catalyst and PIX products accepts IKE version 1 packets without filtering them. However, analysis of each packet can last up to 500 ms. This analysis is done in both "aggressive" and "main" modes, and occurs before the authentication.

An attacker can therefore send a few packets per second in order to saturate the product, which does not serve legitimate clients.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-3073

WebVPN: Cross Site Scripting

Synthesis of the vulnerability

An attacker can use a Cross Site Scripting attack on WebVPN clientless mode.
Impacted products: Cisco VPN Concentrator.
Severity: 1/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 14/06/2006.
Identifiers: BID-18419, CSCsd81095, CSCse48193, CVE-2006-3073, VIGILANCE-VUL-5920.

Description of the vulnerability

The clientless mode of WebVPN permits users to establish a VPN tunnel using a web browser. To do so, they connect to a SSL web server hosted on the concentrator.

Two pages of this web server can be used for a Cross Site Scripting attack:
 - /webvpn/dnserror.html (domain parameter)
 - /webvpn/connecterror.html

An attacker can thus for example use a script to alter behavior of user's session.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 5801

Cisco VPN 3000: denial of service of HTTP service

Synthesis of the vulnerability

An attacker can send HTTP packets to HTTP service in order to stop device.
Impacted products: Cisco VPN Concentrator.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: intranet client.
Creation date: 27/04/2006.
Identifiers: 68869, cisco-sa-20060126-vpn, CSCsb77324, CSCsd26340, VIGILANCE-VUL-5801.

Description of the vulnerability

The HTTP service is activated by default on Cisco VPN 3000. It has two vulnerabilities.

An attacker can send malicious HTTP packets in order to stop device (CSCsb77324).

An attacker can use numerous HTTP connections in order to overload device (CSCsd26340).
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 5565

Cisco VPN 3000: denial of service by crafted HTTP packets attack

Synthesis of the vulnerability

An attacker can force the VPN concentrator to reset and disconnect user by sending malicious HTTP packets.
Impacted products: Cisco VPN Concentrator.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 27/01/2006.
Identifiers: BID-16394, cisco-sa-20060126-vpn, CSCsb77324, VIGILANCE-VUL-5565.

Description of the vulnerability

Cisco VPN 3000 concentrators have a HTTP access configured as default.

If the HTTP access is configured on the concentrator, it is possible to send a malicious HTTP packet which resets the concentrator and causes the disconnection of the users.


An attacker can repeat this operation several times in order to prevent every new connection to the concentrator, and thus cause a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2005-4499

Cisco ACS: incorrect management of RADIUS Downloadable ACL

Synthesis of the vulnerability

RADIUS Downloadable ACL are not securely sent by Cisco ACS.
Impacted products: ASA, Secure ACS, Cisco VPN Concentrator.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: LAN.
Creation date: 22/12/2005.
Identifiers: 61965, BID-16025, CSCee92021, CSCef21184, CSCeh22447, CSCin79018, CSCsc89235, CVE-2005-4499, VIGILANCE-VUL-5447.

Description of the vulnerability

When a Cisco PIX or Cisco VPN Concentrator user is authenticated, specific ACL can be applied. These ACL are transferred using a special user named "#ACSACL#-IP-uacl-random".

However :
 - this username is sent in clear
 - its password is the same as its name

An attacker can therefore capture the name and use it to authenticate on Cisco Secure Access Control Server Radius server.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-3666 CVE-2005-3667 CVE-2005-3668

IPSec: vulnerabilities of some ISAKMP protocol implementations

Synthesis of the vulnerability

Several implementations of ISAKMP protocol are affected by the same vulnerabilities.
Impacted products: FW-1, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, Cisco VPN Concentrator, Debian, Fedora, Tru64 UNIX, HP-UX, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Mandriva Linux, NETASQ, NetBSD, openSUSE, Openswan, Solaris, RHEL, SEF, SGS, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on server, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 14.
Creation date: 14/11/2005.
Revision date: 22/11/2005.
Identifiers: 102040, 102246, 10310, 20060501-01-U, 273756, 273756/NISCC/ISAKMP, 6317027, 6348585, 68158, BID-15401, BID-15402, BID-15416, BID-15420, BID-15474, BID-15479, BID-15516, BID-15523, BID-17030, BID-17902, c00602119, CERTA-2005-AVI-458, CERTA-2005-AVI-504, CQ/68020, CSCed94829, CSCei14171, CSCei15053, CSCei19275, CSCei46258, CSCsb15296, CVE-2005-3666, CVE-2005-3667, CVE-2005-3668, CVE-2005-3669, CVE-2005-3670, CVE-2005-3671, CVE-2005-3672, CVE-2005-3673, CVE-2005-3674, CVE-2005-3675, CVE-2005-3732, CVE-2005-3733, CVE-2005-3768, CVE-2006-2298, DSA-965-1, FEDORA-2005-1092, FEDORA-2005-1093, FLSA:190941, FLSA-2006:190941, HPSBTU02100, HPSBUX02076, MDKSA-2006:020, NetBSD-SA2006-003, NISCC/ISAKMP/273756, PR/61076, PR/61779, PSN-2005-11-007, RHSA-2006:026, RHSA-2006:0267-01, SEF8.0-20051114-00, sk31316, SSRT050979, SUSE-SA:2005:070, SYM05-025, VIGILANCE-VUL-5352, VU#226364.

Description of the vulnerability

The IPSec protocol is used to create VPN. To create an IPSec tunnel, SA (Security Associations: algorithm, key size, etc.) has to be shared between both ends. The SA can be set by administrator, or automatically exchanged. In this later case, IKE protocol (Internet Key Exchange) is used. IKE is based on ISAKMP (and Oakley/Skeme). The ISAKMP protocol (Internet Security Association and Key Management Protocol) defines a generic frame (format and mechanism). ISAKMP uses two phases: setup a secure connection (phase1, main mode or aggressive mode), then this connection is used to exchange one or several SA (phase 2, quick mode). The aggressive mode uses less packets than main mode, and is therefore not recommended.

Several products incorrectly implement phase 1 of ISAKMP/IKEv1 protocol. They contain buffer overflow, format string or denial of service vulnerabilities.

Depending on products, these vulnerabilities lead to code execution or to a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.