Vulnerabilities > CVE-2002-1096 - Unspecified vulnerability in Cisco products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cisco
nessus
NVD
Published: 2002-10-04
Updated: 2018-10-30

Summary

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.1, allows restricted administrators to obtain user passwords that are stored in plaintext in HTML source code.

Vulnerable Configurations

Part Description Count
OS
Cisco
16
Application
Cisco
1

Nessus

NASL familyCISCO
NASL idCSCDV88230.NASL
descriptionThe remote VPN concentrator discloses the passwords of its users in the source HTML of the embedded web server. This vulnerability is documented as Cisco bug ID CSCdv88230 and CSCdw22408.
last seen2020-06-01
modified2020-06-02
plugin id11292
published2003-03-01
reporterThis script is (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11292
titleCisco VPN 3000 Concentrator HTML Source Plaintext User Password Disclosure (CSCdv88230, CSCdw22408)
code
#
# (C) Tenable Network Security, Inc.
#

# Thanks to Nicolas FISCHBACH ([email protected]) for his help
#
# Ref:  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020903-vpn3k-vulnerability

include("compat.inc");

if(description)
{
 script_id(11292);
 script_version("1.19");
 script_cve_id("CVE-2002-1096");
 script_bugtraq_id(5611);

 script_name(english:"Cisco VPN 3000 Concentrator HTML Source Plaintext User Password Disclosure (CSCdv88230, CSCdw22408)");

 script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch." );
 script_set_attribute(attribute:"description", value:
"The remote VPN concentrator discloses the passwords of
its users in the source HTML of the embedded web server.

This vulnerability is documented as Cisco bug ID CSCdv88230 and CSCdw22408." );
 script_set_attribute(attribute:"solution", value:
"http://www.nessus.org/u?d2dd6759" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/01");
 script_cvs_date("Date: 2018/06/27 18:42:25");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/09/03");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios");
 script_end_attributes();

 script_summary(english:"Uses SNMP to determine if a flaw is present");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CISCO");
 script_dependencie("snmp_sysDesc.nasl");
 script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model");
 script_require_ports("Services/www", 80);
 exit(0);
}

# The code starts here

ok=0;

os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0);

port = get_kb_list("Services/www");
if(isnull(port)) 
{
 if(!get_port_state(80))exit(0);
 soc = open_sock_tcp(80);
 if(!soc)exit(0);
 else close(soc);
}



# Is this a VPN3k concentrator ?
if(!egrep(pattern:".*VPN 3000 Concentrator.*", string:os))exit(0);

# < 3.5.1
if(egrep(pattern:".*Version 3\.5\.Rel.*", string:os))ok = 1;
if(egrep(pattern:".*Version 3\.5\.0.*", string:os))ok = 1;

# < 3.1.4
if(egrep(pattern:".*Version 3\.1\.Rel.*", string:os))ok = 1;
if(egrep(pattern:".*Version 3\.1\.[0-3][^0-9].*", string:os))ok = 1;

# 3.0.x
if(egrep(pattern:".*Version 3\.0\..*", string:os))ok = 1;

# 2.x.x
if(egrep(pattern:".*Version 2\..*", string:os))ok = 1;


if(ok)security_hole(port:161, proto:"udp");

References