Vulnerabilities > CVE-2002-1094 - Unspecified vulnerability in Cisco products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
cisco
nessus

Summary

Information leaks in Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before 3.5.4 allow remote attackers to obtain potentially sensitive information via the (1) SSH banner, (2) FTP banner, or (3) an incorrect HTTP request.

Nessus

  • NASL familyCISCO
    NASL idCSCDU35577.NASL
    descriptionAccording to its banner, the remote VPN concentrator gives out too much information in application layer banners. This vulnerability is documented as Cisco bug ID CSCdu35577.
    last seen2020-06-01
    modified2020-06-02
    plugin id11289
    published2003-03-01
    reporterThis script is (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11289
    titleCisco VPN 3000 Concentrator Multiple Service Banner System Information Disclosure (CSCdu35577)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # Thanks to Nicolas FISCHBACH ([email protected]) for his help
    #
    # Ref:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020903-vpn3k-vulnerability
    #
    # Changes by Tenable :
    # - Added CVSS score, revised desc.
    # - Fixed typo, added URL comment.
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11289);
     script_bugtraq_id(5621, 5623, 5624);
     script_version("1.20");
     script_cve_id("CVE-2002-1094");
    
     script_name(english:"Cisco VPN 3000 Concentrator Multiple Service Banner System Information Disclosure (CSCdu35577)");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote VPN concentrator reveals application layer banners." );
     script_set_attribute(attribute:"description", value:
    "According to its banner, the remote VPN concentrator gives out
    too much information in application layer banners. This
    vulnerability is documented as Cisco bug ID CSCdu35577." );
     # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020903-vpn3k-vulnerability
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2702929c" );
     script_set_attribute(attribute:"solution", value:
    "Apply vendor-supplied patches." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/01");
     script_set_attribute(attribute:"vuln_publication_date", value: "2002/09/03");
     script_cvs_date("Date: 2018/11/15 20:50:20");
    script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios");
    script_end_attributes();
    
    
     summary["english"] = "Uses SNMP to determine if a flaw is present";
     script_summary(english:summary["english"]);
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is (C) 2003-2018 Tenable Network Security, Inc.");
    
     script_family(english:"CISCO");
    
     script_dependencie("snmp_sysDesc.nasl");
     script_require_keys("SNMP/community",
    			  "SNMP/sysDesc",
    			  "CISCO/model");
     exit(0);
    }
    
    
    # The code starts here
    ok=0;
    
    os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0);
    
    # Is this a VPN3k concentrator ?
    if(!egrep(pattern:".*VPN 3000 Concentrator.*", string:os))exit(0);
    
    # < 3.5.4
    if(egrep(pattern:".*Version 3\.5\.Rel.*", string:os))ok = 1;
    if(egrep(pattern:".*Version 3\.5\.[0-3].*", string:os))ok = 1;
    
    # 3.0.x and 3.1.x
    if(egrep(pattern:".*Version 3\.[0-1]\..*", string:os))ok = 1;
    
    # 2.x.x
    if(egrep(pattern:".*Version 2\..*", string:os))ok = 1;
    
    
    if(ok)security_warning(port:161, proto:"udp");
    
  • NASL familyCISCO
    NASL idCSCDU35577_WEB.NASL
    descriptionThe remote VPN concentrator gives out too much information in application layer banners. An incorrect page request provides the specific version of software installed. This vulnerability is documented as Cisco bug ID CSCdu35577.
    last seen2020-06-01
    modified2020-06-02
    plugin id14718
    published2004-09-14
    reporterThis script is Copyright (C) 2004-2018 Michael J. Richardson
    sourcehttps://www.tenable.com/plugins/nessus/14718
    titleCisco VPN 3000 Concentrator Multiple Service Banner System Information Disclosure (CSCdu35577 HTTP Check)
    code
    #
    # This script was written by Michael J. Richardson <[email protected]>
    #
    # Changes by Tenable:
    # -  updated copyright (1/20/09)
    # - Added CVSS2 scores, revised desc.
    # - Title tweak, formatting (10/29/09)
    # - Fixed typo in the solution (03/05/14)
    
    
    include("compat.inc");
    
    if(description)
    {
      script_id(14718);
      script_version ("1.20");
      script_cve_id("CVE-2002-1094");
      script_bugtraq_id(5624);
    
      script_name(english:"Cisco VPN 3000 Concentrator Multiple Service Banner System Information Disclosure (CSCdu35577 HTTP Check)");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote VPN concentrator reveals application layer banners." );
     script_set_attribute(attribute:"description", value:
    "The remote VPN concentrator gives out too much information in 
    application layer banners. An incorrect page request provides 
    the specific version of software installed. This vulnerability 
    is documented as Cisco bug ID CSCdu35577." );
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2702929c" );
     script_set_attribute(attribute:"solution", value:
    "Apply vendor-supplied patch." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/14");
     script_set_attribute(attribute:"vuln_publication_date", value: "2002/09/03");
     script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios");
    script_end_attributes();
    
     script_summary(english:"Checks web interface for Cisco bug ID CSCdu35577");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2020 Michael J. Richardson");
     script_family(english:"CISCO");
     script_dependencie("find_service1.nasl", "http_version.nasl");
     script_require_ports("Services/www", 80);
     exit(0);
    }
    
    #
    # The script code starts here
    #
    include("http_func.inc");
    include ("global_settings.inc");
    include("http_keepalive.inc");
    
    port = get_http_port(default:80, embedded:TRUE);
    
    if(!get_port_state(port))
      exit(0);
    
    
    req = http_get(item:"/this_page_should_not_exist.htm", port:port);
    res = http_keepalive_send_recv(port:port, data:req);
    
    if ( res == NULL ) 
      exit(0);
    
    if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:res) && "<b>Software Version:</b> >< res" && "Cisco Systems, Inc./VPN 3000 Concentrator Version" >< res)
      {
        security_warning(port:port);
        exit(0);
      }