The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco VPN Concentrator

threat note CVE-2007-4414 CVE-2007-4415 CVE-2011-2678

Cisco VPN Client: privilege elevation

Synthesis of the vulnerability

A local attacker can elevate his privileges via the Cisco VPN Client.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/08/2007.
Revisions dates: 17/08/2007, 25/03/2011, 05/07/2011.
Identifiers: 91923, BID-25332, cisco-sa-20070815-vpnclient, CSCse89550, CSCsj00785, CSCtn50645, CVE-2007-4414, CVE-2007-4415, CVE-2011-2678, NGS00051, NGS00503, VIGILANCE-VUL-7096.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Windows version of Cisco VPN Client has two vulnerabilities.

A local attacker can enable the SBL (Start Before Logon) feature and use Microsoft Dial-Up Networking in order to execute commands with LocalSystem privileges. [severity:2/4; CSCse89550, CVE-2007-4414]

Permissions on the cvpnd.exe file permit a local attacker to replace it by a Trojan horse. This file is the Cisco VPN Service run with LocalSystem privileges. [severity:2/4; CSCsj00785, CSCtn50645, CVE-2007-4415, NGS00051, NGS00503]
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2010-4354

Cisco ASA, PIX, VPN: enumeration of groupnames

Synthesis of the vulnerability

When a PSK authentication is used, an attacker can guess valid identifiers with a brute force attack.
Severity: 2/4.
Creation date: 30/11/2010.
Identifiers: 112227, BID-45161, cisco-sr-20101124-vpn-grpname, CSCtj96108, CVE-2010-4354, NGS00014, VIGILANCE-VUL-10166.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The VPN PSK (Pre-Shared Key) authentication uses an identifier/password. The identifier is called the "groupname". The password is called the pre-shared key.

When a VPN client authenticates with a bad identifier, Cisco products do not answer. When the identifier is valid, an answer packet is sent back. An attacker can thus guess if an identifier is valid.

Impacted products are:
 - Cisco ASA 5500
 - Cisco PIX 500
 - Cisco VPN 3000 Series Concentrators

When a PSK authentication is used, an attacker can therefore guess valid identifiers with a brute force attack.
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin 6649

Cisco: Cross Site Scripting of online help

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting attack on Cisco products with online help activated.
Severity: 2/4.
Creation date: 15/03/2007.
Identifiers: 82421, BID-22982, cisco-sr-20070315-xss, VIGILANCE-VUL-6649.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Online web help can be installed on several Cisco products.

The search script (PreSearch.html or PreSearch.class) of this help does not correctly filter parameters it receives.

An attacker can therefore create a Cross Site Scripting in order to execute JavaScript code in web browser of victim.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2006-4313

Cisco VPN: access to some FTP commands

Synthesis of the vulnerability

Two vulnerabilities of Cisco VPN 3000 series permit an attacker to execute some FTP commands.
Severity: 2/4.
Creation date: 24/08/2006.
Revision date: 25/10/2006.
Identifiers: 71141, BID-19680, cisco-sa-20060823-vpn3k, CSCse10733, CSCse10753, CVE-2006-4313, VIGILANCE-VUL-6115.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The FTP protocol is activated by default to administer the Cisco VPN concentrator.

An attacker can use two vulnerabilities to execute following FTP commands:
 - CDUP, CWD: change directory
 - MKD: create a directory
 - RMD : remove a directory
 - RNFR: rename a file
 - SIZE: obtain size of a file

These vulnerabilities therefore permit an attacker, authenticated or not authenticated, to alter concentrator (by renaming a file for example), but do not permit to download or upload a configuration.
Full Vigil@nce bulletin... (Free trial)

weakness note CVE-2006-3906

Cisco VPN, IOS, PIX, Catalyst: denial of service via IKE

Synthesis of the vulnerability

An attacker can send few IKE packets per second in order to saturate Cisco VPN Concentrator, IOS, Catalyst and PIX.
Severity: 2/4.
Creation date: 26/07/2006.
Revision date: 27/07/2006.
Identifiers: BID-19176, CVE-2006-3906, VIGILANCE-VUL-6037.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The IPSec protocol is used to create VPN. To create an IPSec tunnel, SA (Security Associations: algorithm, key size, etc.) has to be shared between both ends. The SA can be set by administrator, or automatically exchanged. In this later case, IKE protocol (Internet Key Exchange) is used. IKE is based on ISAKMP (and Oakley/Skeme). The ISAKMP protocol (Internet Security Association and Key Management Protocol) defines a generic frame (format and mechanism). ISAKMP uses two phases: setup a secure connection (phase1, main mode or aggressive mode), then this connection is used to exchange one or several SA (phase 2, quick mode). The aggressive mode uses less packets than main mode, and is therefore not recommended.

The Cisco VPN Concentrator, IOS, Catalyst and PIX products accepts IKE version 1 packets without filtering them. However, analysis of each packet can last up to 500 ms. This analysis is done in both "aggressive" and "main" modes, and occurs before the authentication.

An attacker can therefore send a few packets per second in order to saturate the product, which does not serve legitimate clients.
Full Vigil@nce bulletin... (Free trial)

security weakness CVE-2006-3073

WebVPN: Cross Site Scripting

Synthesis of the vulnerability

An attacker can use a Cross Site Scripting attack on WebVPN clientless mode.
Severity: 1/4.
Creation date: 14/06/2006.
Identifiers: BID-18419, CSCsd81095, CSCse48193, CVE-2006-3073, VIGILANCE-VUL-5920.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The clientless mode of WebVPN permits users to establish a VPN tunnel using a web browser. To do so, they connect to a SSL web server hosted on the concentrator.

Two pages of this web server can be used for a Cross Site Scripting attack:
 - /webvpn/dnserror.html (domain parameter)
 - /webvpn/connecterror.html

An attacker can thus for example use a script to alter behavior of user's session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 5801

Cisco VPN 3000: denial of service of HTTP service

Synthesis of the vulnerability

An attacker can send HTTP packets to HTTP service in order to stop device.
Severity: 2/4.
Creation date: 27/04/2006.
Identifiers: 68869, cisco-sa-20060126-vpn, CSCsb77324, CSCsd26340, VIGILANCE-VUL-5801.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The HTTP service is activated by default on Cisco VPN 3000. It has two vulnerabilities.

An attacker can send malicious HTTP packets in order to stop device (CSCsb77324).

An attacker can use numerous HTTP connections in order to overload device (CSCsd26340).
Full Vigil@nce bulletin... (Free trial)

security alert 5565

Cisco VPN 3000: denial of service by crafted HTTP packets attack

Synthesis of the vulnerability

An attacker can force the VPN concentrator to reset and disconnect user by sending malicious HTTP packets.
Severity: 2/4.
Creation date: 27/01/2006.
Identifiers: BID-16394, cisco-sa-20060126-vpn, CSCsb77324, VIGILANCE-VUL-5565.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Cisco VPN 3000 concentrators have a HTTP access configured as default.

If the HTTP access is configured on the concentrator, it is possible to send a malicious HTTP packet which resets the concentrator and causes the disconnection of the users.


An attacker can repeat this operation several times in order to prevent every new connection to the concentrator, and thus cause a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer threat CVE-2005-4499

Cisco ACS: incorrect management of RADIUS Downloadable ACL

Synthesis of the vulnerability

RADIUS Downloadable ACL are not securely sent by Cisco ACS.
Severity: 1/4.
Creation date: 22/12/2005.
Identifiers: 61965, BID-16025, CSCee92021, CSCef21184, CSCeh22447, CSCin79018, CSCsc89235, CVE-2005-4499, VIGILANCE-VUL-5447.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

When a Cisco PIX or Cisco VPN Concentrator user is authenticated, specific ACL can be applied. These ACL are transferred using a special user named "#ACSACL#-IP-uacl-random".

However :
 - this username is sent in clear
 - its password is the same as its name

An attacker can therefore capture the name and use it to authenticate on Cisco Secure Access Control Server Radius server.
Full Vigil@nce bulletin... (Free trial)

computer threat note CVE-2005-3666 CVE-2005-3667 CVE-2005-3668

IPSec: vulnerabilities of some ISAKMP protocol implementations

Synthesis of the vulnerability

Several implementations of ISAKMP protocol are affected by the same vulnerabilities.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 14.
Creation date: 14/11/2005.
Revision date: 22/11/2005.
Identifiers: 102040, 102246, 10310, 20060501-01-U, 273756, 273756/NISCC/ISAKMP, 6317027, 6348585, 68158, BID-15401, BID-15402, BID-15416, BID-15420, BID-15474, BID-15479, BID-15516, BID-15523, BID-17030, BID-17902, c00602119, CERTA-2005-AVI-458, CERTA-2005-AVI-504, CQ/68020, CSCed94829, CSCei14171, CSCei15053, CSCei19275, CSCei46258, CSCsb15296, CVE-2005-3666, CVE-2005-3667, CVE-2005-3668, CVE-2005-3669, CVE-2005-3670, CVE-2005-3671, CVE-2005-3672, CVE-2005-3673, CVE-2005-3674, CVE-2005-3675, CVE-2005-3732, CVE-2005-3733, CVE-2005-3768, CVE-2006-2298, DSA-965-1, FEDORA-2005-1092, FEDORA-2005-1093, FLSA:190941, FLSA-2006:190941, HPSBTU02100, HPSBUX02076, MDKSA-2006:020, NetBSD-SA2006-003, NISCC/ISAKMP/273756, PR/61076, PR/61779, PSN-2005-11-007, RHSA-2006:026, RHSA-2006:0267-01, SEF8.0-20051114-00, sk31316, SSRT050979, SUSE-SA:2005:070, SYM05-025, VIGILANCE-VUL-5352, VU#226364.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The IPSec protocol is used to create VPN. To create an IPSec tunnel, SA (Security Associations: algorithm, key size, etc.) has to be shared between both ends. The SA can be set by administrator, or automatically exchanged. In this later case, IKE protocol (Internet Key Exchange) is used. IKE is based on ISAKMP (and Oakley/Skeme). The ISAKMP protocol (Internet Security Association and Key Management Protocol) defines a generic frame (format and mechanism). ISAKMP uses two phases: setup a secure connection (phase1, main mode or aggressive mode), then this connection is used to exchange one or several SA (phase 2, quick mode). The aggressive mode uses less packets than main mode, and is therefore not recommended.

Several products incorrectly implement phase 1 of ISAKMP/IKEv1 protocol. They contain buffer overflow, format string or denial of service vulnerabilities.

Depending on products, these vulnerabilities lead to code execution or to a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.