Several serious vulnerabilities have recently been discovered in the Cisco VPN 3000 Series Concentrator, an enterprise VPN appliance whose scalability and performance have made it popular. According to Cisco, a combination of internal testing and customer reports has uncovered a group of significant vulnerabilities. The company has released a list of workarounds and made new versions of software available to address the problems. Cisco says there haven’t been any reports of exploits yet and that the VPN 5000 Series is not affected by these vulnerabilities.

This is a particularly complex set of vulnerabilities, and those who think they might be affected should go to the Cisco Security Advisory itself, if only because updates may be posted after this column publishes. Most of the information in this column is based on release 2.0 of the advisory, which is the update that posted the same day the original advisory was released.

Applicability: All Cisco VPN 3000 series
Cisco VPN concentrators affected by these vulnerabilities include the 3005, 3015, 3030, 3060, and 3080 models, as well as the 3002 Hardware Client. Here is a list of the vulnerabilities:

  • CSCdt56514, PPTP, IPSec internal authentication login—Rel. 3.6 or earlier versions
  • CSCdu15622, HTML parser processing—versions earlier than Rel. 3.0.3
  • CSCdu35577, confidential information provided in application layer banners—versions before Rel. 3.5.4
  • CSCdu82823, Telnetd vulnerability—versions before Rel. 3.0.4
  • CSCdv66718, Windows PPTP client vulnerability—versions before Rel. 2.5.2
  • CSCdv88230 and CSCdw22408, user passwords visible with HTML view source—versions earlier than 3.5.1
  • CSCdw50657, certificate passwords visible with HTML view source—versions earlier than 3.5.2
  • CSCdx07754, XML public rule
  • CSCdx24622, HTML pages access
  • CSCdx24632, HTML login processing—versions earlier than 3.5.3
  • CSCdx39981, VPN client authentication—Rel. 3.6 or earlier versions
  • CSCdx54675, LAN-to-LAN IPSec tunnel—versions earlier than Rel. 3.5.4
  • CSCdy38035, ISAKMP packet processing—Rel. 3.6 or earlier versions

The Web interface or console menu will indicate the version currently installed on the hardware.

Risk level: Maximum is critical
Since individual patches aren’t available, it wouldn’t be particularly useful to go through all the details of the particular problems or their impact other than to point out that the threats can lead to denial of service attacks, disclosure of passwords, or even access to the network serviced by the VPN Concentrator.

Fix: Upgrade software or apply workaround where available
The latest code versions for these Cisco 3000 Series Concentrators and the 3002 Hardware Client are 3.5.5 and 3.6.1, either of which will patch all these vulnerabilities.

Registered, authorized users who obtain support directly from Cisco can get free updates for the VPN 3000 Series from Cisco’s 3000 Series support site. Those who have third-party support must contact their vendors. Others should check the Cisco Technical Assistance Center for various contact links and addresses and perhaps look over the details of the threats to see if they can be eliminated using a workaround.

Here is a brief look at the workarounds that are available for the various flaws:

Add external authentication:

CSCdt56514—PPTP, IPSec internal authentication login

Restrict Telnet access to trusted sources:

CSCdu82823—Telnetd vulnerability

Restrict to IPSec support:

CSCdv66718—Windows PPTP client vulnerability

Remove XML filter on public interface:

CSCdx07754—XML public rule

Restrict access to HTML to trusted sources:

CSCdu15622—HTML parser processing

CSCdv88230, CSCdw22408—user passwords visible with HTML view source

CSCdw50657—certificate passwords visible with HTML view source

CSCdx24622—HTML pages access

CSCdx24632—HTML login processing

No workarounds are available for:

CSCdu35577—confidential information provided in application layer banners

CSCdx39981—VPN client authentication

CSCdx54675—LAN-to-LAN IPSec tunnel

CSCdy38035—ISAKMP packet processing

Final word
The most important points to note here are that there don’t appear to have been any exploits of these vulnerabilities to date and that the more robust VPN 5000 Series doesn’t have these vulnerabilities and does not require updates for these problems.