Re: Cisco VPN Concentrator GUI

[Erik Kamerling <ekamerling () snaplen com>]

My original response never made it so here it is again.

On Sunday 15 May 2005 23:09, kaps lock wrote:
> i cant find any vulenrabilites on the net ....to
> explain to the person....only thing i can think of is
> brute forcing the username pasword field...which is
> again a challenge for web vpn..any ideas??
> thanks

Hi Kaps Lock,

You might want to impart info to your client regarding the common sense 
security measure of limiting access to the HTTPS interface on the 
concentrator to only trusted management hosts or internal networks. 

Enabling uncontrolled public side HTTP(S) management of a VPN concentrator 
gives out way more info re: their VPN than most people would want IMHO.

I don't believe HTTP(S) is enabled by default (at least on a public interface) 
on a 3000 series concentrator so someone turned it on most likely.

3000 series concentrators are vulnerable to a SSL attack prior to version 
4.1.7.A so you might want to point this out to them. The attacker does not 
need to authenticate and can effectively reload the device or make it drop 
user connections. 

Here is the advisory -> 
http://www.cisco.com/warp/public/707/cisco-sa-20050330-vpn3k.shtml

And a more general view on 3000 vulnerabilities ->
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml

Best Wishes,

Erik Kamerling