FYI if you're using the former Altiga VPN concentrator... ----- Original Message ----- From: "Cisco Systems Product Security Incident Response Team" To: Sent: Thursday, April 12, 2001 9:45 AM Subject: Cisco Security Advisory: Cisco VPN3000 Concentrator IP Options Vulnerability > > -----BEGIN PGP SIGNED MESSAGE----- > > Cisco Security Advisory: VPN 3000 Concentrator IP Options Vulnerability > ============================================================================ = > Revision 1.0 > > For Public Release 2001 April 12 at 1500 UTC > > ------------------------------------------------------------------------ > > Summary > ======= > If a crafted IP packet, with an invalid IP Option setting is transmitted to > a VPN 3000 series concentrator on the same network segment (no routers in > between), it can cause the VPN 3000 series concentrator to hang with a 100% > CPU Utilization. The concentrator would then have to be reset. After > rebooting, the equipment would function normally until the crafted IP > packet is received again. The defect can be exploited to produce a denial > of service (DoS) attack. > > The vulnerability is described in Cisco bug id CSCds92460. > > This notice will be posted at > http://www.cisco.com/warp/public/707/vpn3k-ipoptions-vuln-pub.shtml > > Affected Products > ================= > Cisco VPN 3000 series concentrators running software releases up to but not > including revision 2.5.2 (F) are affected by this vulnerability. This > series includes models 3005, 3015, 3030, 3060, and 3080. > > Any VPN 3000 series concentrators running revision 2.5.2 (F) or later are > unaffected by this vulnerability. > > This vulnerability does not affect the VPN 5000 series concentrators. No > other Cisco product is known to be affected by this vulnerability. > > To determine if a Cisco VPN 3000 series concentrator is running affected > software, check the revision via the web interface or the console menu. > > Details > ======= > If a crafted IP packet, with an invalid IP Option setting, is transmitted > to a VPN 3000 series concentrator on the same network segment (no routers > in between), on either the Inside or the Outside interface, it can cause > the VPN 3000 series concentrator to hang with a 100 % CPU Utilization. The > concentrator would then have to be reset via the console port as no SNMP or > HTTP remote management control would be possible. After rebooting, the > equipment would function normally until the crafted IP packet is received > again. > > In order to exploit this vulnerability the attacker must be on the same > network segment as the concentrator without any routers in between. A > crafted IP packet traversing a router would typically get its invalid IP > Options dropped and would not be able to affect the VPN 3000 series > concentrator. > > The vulnerability is documented as Cisco bug id CSCds92460. > > Impact > ====== > When this crafted IP packet is received by the VPN 3000 series > concentrator, the concentrator will stop passing traffic and will not > respond to any management inquiries via SNMP, Telnet or HTTP. However > management via the console port is possible. > > For VPN 3000 series concentrator models 3015, 3030, 3060, and 3080 the CPU > Utilization bar graph indicator on the front panel will go to 100%. > > Software Versions and Fixes > =========================== > The vulnerability has been fixed in revision 2.5.2 (E) code. The fix will > be carried forward into all future releases. > > However due to the advisory at > http://www.cisco.com/warp/public/707/vpn3k-telnet-vuln-pub.shtml the > recommended revision to upgrade to is 2.5.2 (F) > > Upgrade can be done via the remote software upgrade feature using the VPN > 3000 series concentrator's web based management interface. > > Obtaining Fixed Software > ======================== > Cisco is offering free software upgrades to remedy this vulnerability for > all affected customers. Customers with service contracts may upgrade to any > software release. Customers may install only the feature sets they have > purchased. > > Fixed software is currently available. > > Customers with contracts should obtain upgraded software through their > regular update channels. For most customers, this means that upgrades > should be obtained via Cisco's Software Center at http://www.cisco.com/. > > Customers without contracts or warranty should get their upgrades by > contacting the Cisco Technical Assistance Center (TAC) as shown below: > > * (800) 553-2447 (toll-free in North America) > * +1 408 526 7209 (toll call from anywhere in the world) > * e-mail: [EMAIL PROTECTED] > > See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for > additional TAC contact information, including instructions and e-mail > addresses for use in various languages. > > Give the URL of this notice as evidence of your entitlement to a free > upgrade. Free upgrades for non-contract customers must be requested through > the TAC. Please do not contact either "[EMAIL PROTECTED]" or > "[EMAIL PROTECTED]" for software upgrades; faster results will be > obtained by contacting the TAC directly. > > Workarounds > =========== > There are no system configuration workarounds. Please upgrade to revision > 2.5.2 (F) code. > > Exploitation and Public Announcements > ===================================== > The Cisco PSIRT is not aware of any public announcements or malicious use > of the vulnerabilities described in this advisory. > > This was reported to Cisco by a customer who accidentally discovered this > vulnerability. > > Status of This Notice: FINAL > ============================ > This is a final field notice. Although Cisco cannot guarantee the accuracy > of all statements in this notice, all of the facts have been checked to the > best of our ability. Cisco does not anticipate issuing updated versions of > this notice unless there is some material change in the facts. Should there > be a significant change in the facts, Cisco may update this notice. > > Distribution > ============ > This notice will be posted on Cisco's Worldwide Web site at > http://www.cisco.com/warp/public/707/vpn3k-ipoptions-vuln-pub.shtml. > > In addition to Worldwide Web posting, a text version of this notice will be > clear-signed with the Cisco PSIRT PGP key and will be posted to the > following e-mail and Usenet news recipients: > > * [EMAIL PROTECTED] > * [EMAIL PROTECTED] > * [EMAIL PROTECTED] > * [EMAIL PROTECTED] (including CERT/CC) > * [EMAIL PROTECTED] > * [EMAIL PROTECTED] > * comp.dcom.sys.cisco > * Various internal Cisco mailing lists > > Future updates of this notice, if any, will be placed on Cisco's Worldwide > Web server, but may or may not be actively announced on mailing lists or > newsgroups. Users concerned about this problem are encouraged to check the > URL given above for any updates. > > Revision History > ================ > Revision Number 1.0 2001-04-12 Initial public release > > Cisco Security Procedures > ========================= > Complete information on reporting security vulnerabilities in Cisco > products, obtaining assistance with security incidents, and registering to > receive security information from Cisco, is available on Cisco's Worldwide > Web site at > http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This > includes instructions for press inquiries regarding Cisco security notices. > > ------------------------------------------------------------------------ > > This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be > redistributed freely after the release date given at the top of the text, > provided that redistributed copies are complete and unmodified, and include > all date and version information. > > ------------------------------------------------------------------------ > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.1 > > iQEVAwUBOtXIVGiN3BRdFxkbAQGjSAgAqij7ajzNoZMcBduuvIRKVIwXQUB488y+ > 8Jg8XTvkE7SZEkFsRg60qsaz0Bf+hikYleRP3qw5W8e8m3p/txLrK+KAHARQBMvV > G53neWJIXDA+AXcYjD7f3pL5TEVI5Sx87JYQ12Pqzx0AfXNGqoiEVA2uBiMqGCSA > 0wFNArUfsCqHnVExrdeIwFgZBONvekAg6yeEucAPWScuguf7N2id0bsSRpK1QIlq > iggyynhTYvRAVsR6Zq7cA2Eo0mE0fo7RPTht7Uy/M+kFgWGszq7ebowDwI6z/qhB > kmqpXZiBtm7pRzAafGzboAKTUWAv/1xPjKFYjF7bLg0DILETjTyiPA== > =ZsBJ > -----END PGP SIGNATURE----- Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=364&t=364 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
