Vulnerabilities > CVE-2002-1095 - Unspecified vulnerability in Cisco products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN cisco
nessus
Summary
Cisco VPN 3000 Concentrator before 2.5.2(F), with encryption enabled, allows remote attackers to cause a denial of service (reload) via a Windows-based PPTP client with the "No Encryption" option set.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 5 | |
| Application | 2 |
Nessus
NASL family CISCO NASL id CSCDT56514.NASL description The remote VPN concentrator is vulnerable to an internal PPTP / IPSEC authentication login attack. This vulnerability is documented as Cisco bug ID CSCdt56514. last seen 2020-06-01 modified 2020-06-02 plugin id 11287 published 2003-03-01 reporter This script is (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11287 title Cisco VPN 3000 Concentrator Multiple Vulnerabilities (CSCdt56514, CSCdv66718) code # # (C) Tenable Network Security, Inc. # # # Thanks to Nicolas FISCHBACH ([email protected]) for his help # include("compat.inc"); if(description) { script_id(11287); script_bugtraq_id(5613); script_version("1.21"); script_cve_id("CVE-2002-1092","CVE-2002-1095"); script_name(english:"Cisco VPN 3000 Concentrator Multiple Vulnerabilities (CSCdt56514, CSCdv66718)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch." ); script_set_attribute(attribute:"description", value: "The remote VPN concentrator is vulnerable to an internal PPTP / IPSEC authentication login attack. This vulnerability is documented as Cisco bug ID CSCdt56514." ); script_set_attribute(attribute:"solution", value: "http://www.nessus.org/u?d2dd6759" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/01"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/09/03"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_end_attributes(); summary["english"] = "Uses SNMP to determine if a flaw is present"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("snmp_sysDesc.nasl"); script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model"); exit(0); } # The code starts here ok=0; os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0); # Is this a VPN3k concentrator ? if(!egrep(pattern:".*VPN 3000 Concentrator.*", string:os))exit(0); # 3.6(Rel) if(egrep(pattern:".*Version 3\.6\.Rel.*", string:os))ok = 1; # 3.5(Rel) if(egrep(pattern:".*Version 3\.5\.Rel.*", string:os))ok = 1; # 3.5.x -> 3.5.4 if(egrep(pattern:".*Version 3\.5\.[0-4].*", string:os))ok = 1; # 3.1.x -> 3.1.2 if(egrep(pattern:".*Version 3\.1\.Rel.*", string:os))ok = 1; if(egrep(pattern:".*Version 3\.1\.[0-1][^0-9].*", string:os))ok = 1; # < 3.0.3(B) if(egrep(pattern:".*Version 3\.0\.[0-2].*", string:os))ok = 1; # 2.x.x if(egrep(pattern:".*Version 2\..*", string:os))ok = 1; if(ok)security_hole(port:161, proto:"udp");NASL family CISCO NASL id CSCDX39981.NASL description The remote VPN concentrator is subject to a VPN client authentication vulnerability that can force a reload of the concentrator when a very large string for the username prompt is sent. This vulnerability is documented as Cisco bug ID CSCdx39981. last seen 2020-06-01 modified 2020-06-02 plugin id 11295 published 2003-03-01 reporter This script is (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11295 title Cisco VPN 3000 Concentrator PPTP No Encryption Option Remote DoS (CSCdx39981) code # # (C) Tenable Network Security, Inc. # # Thanks to Nicolas FISCHBACH ([email protected]) for his help # # Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020903-vpn3k-vulnerability include("compat.inc"); if(description) { script_id(11295); script_version("1.20"); script_cve_id("CVE-2002-1095"); script_bugtraq_id(5625); script_name(english:"Cisco VPN 3000 Concentrator PPTP No Encryption Option Remote DoS (CSCdx39981)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch." ); script_set_attribute(attribute:"description", value: "The remote VPN concentrator is subject to a VPN client authentication vulnerability that can force a reload of the concentrator when a very large string for the username prompt is sent. This vulnerability is documented as Cisco bug ID CSCdx39981." ); script_set_attribute(attribute:"solution", value: "http://www.nessus.org/u?d2dd6759" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/01"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/09/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_end_attributes(); script_summary(english:"Uses SNMP to determine if a flaw is present"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("snmp_sysDesc.nasl"); script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model"); exit(0); } # The code starts here ok=0; os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0); # Is this a VPN3k concentrator ? if(!egrep(pattern:".*VPN 3000 Concentrator.*", string:os))exit(0); # 3.6.Rel if(egrep(pattern:".*Version 3\.6\.Rel.*", string:os))ok = 1; # < 3.5.5 if(egrep(pattern:".*Version 3\.5\.Rel.*", string:os))ok = 1; if(egrep(pattern:".*Version 3\.5\.[0-4].*", string:os))ok = 1; # 3.1.x if(egrep(pattern:".*Version 3\.1\..*", string:os))ok = 1; # 3.0.x if(egrep(pattern:".*Version 3\.0\..*", string:os))ok = 1; # 2.x.x if(egrep(pattern:".*Version 2\..*", string:os))ok = 1; if(ok)security_warning(port:161, proto:"udp");
References
- http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
- http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
- http://www.iss.net/security_center/static/10021.php
- http://www.iss.net/security_center/static/10021.php
- http://www.securityfocus.com/bid/5625
- http://www.securityfocus.com/bid/5625