private network
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Multicast Virtual Private Network
(MVPN) Data Leak
Advisory ID: cisco-sa-20080326-mvpn
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
=================
>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>> listening service configured in the client firewall and are therefore
>> not affected by this vulnerability. Windows XP Service Pack 2 and
>> later operating systems include a stateful host firewall that provides
>> protection for computers against incoming traffic from the Internet or
>> from neighboring network devices on a private network. ... Customers
>> running Windows XP are at reduced risk, and Microsoft recommends they
>> use the firewall included with the operating system, or a network
>> firewall, to block access to the affected ports and limit the attack
>> surface from untrusted networks."
>>
successful attack may result in a sustained DoS condition. Versions
7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of
these vulnerabilities. A Cisco ASA device configured for any of the
following features is affected:
* Secure Socket Layer Virtual Private Network (SSL VPN)
* When the affected device is configured to accept Cisco Adaptive
Security Device Manager (ASDM) connections
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access when using HTTPS
+------------------
Devices running affected versions of Cisco IOS Software are
susceptible if configured with any of the following features:
* Secure Socket Layer (SSL) Virtual Private Network (VPN)
* Secure Shell (SSH)
* Internet Key Exchange (IKE) Encrypted Nonces
Note: Other SSL/HTTPS related features than WebVPN and SSL VPN are
not affected by this vulnerability.
Elizabeth.a.greene@gmail.com wrote:
> As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
>
> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
> "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
>
> -eg
>
>
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
=================
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
-eg
Service Pack 2 do not have a listening service configured in the client
firewall and are therefore not affected by this vulnerability. Windows
XP Service Pack 2 and later operating systems include a stateful host
firewall that provides protection for computers against incoming traffic
from the Internet or from neighboring network devices on a private
network. The impact of a denial of service attack is that a system would
become unresponsive due to memory consumption. However, a successful
attack requires a sustained flood of specially crafted TCP packets, and
the system will recover once the flood ceases. This makes the severity
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925.
Customers running Windows XP are at reduced risk, and Microsoft
Details
=======
The Cisco AnyConnect Secure Mobility Client is the Cisco
next-generation VPN client, which provides remote users with secure
IPsec (IKEv2) or SSL Virtual Private Network (VPN) connections to
Cisco 5500 Series Adaptive Security Appliances (ASA) and devices that
are running Cisco IOS Software.
The Cisco AnyConnect Secure Mobility Client is affected by the
following vulnerabilities:
user with access to the Internet and a web browser.
III. DESCRIPTION
-------------------------
Cisco VPN SSL Clientless lets administrators define rules to specific
targets within the private network that WebVPN users will be able to
access. This specific targets are published using links in VPN SSL
home page. These links (URL) are protected (obfuscated) using a ROT13
substitution[2] and converting ASCII characters to hexadecimal. An
user with a valid account and without "URL entry" can access any
internal/external resource simply taken an URL, encrypt with ROT 13,
engines and to determine if a VAM is present and used in the device,
use the "show crypto engine brief" command, as shown in the following
example:
Router#show crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: slot 4
VPN Module in slot: 4
Product Name: VAM2+
> yourself.
Well, as James pointed out already, this reply is a little silly.
But, just to be clear, if Mitsubishi had explicitly documented that this
device should only be used on a private network and had no access
controls, I don't think I'd have a problem.
However, they show a username/password box (which I'm betting is fairly
easilly circumvented if you know the right urls and can forge a cookie
on the client...) so I think it's fair game to expect them to implement
Router#show running-config | include ip http
no ip http server
ip http secure-server
Router#
* SSL Virtual Private Network (SSL VPN) also known as AnyConnect
VPN
The following example shows a device that has the SSL VPN feature
enabled:
Router#show running-config | include webvpn
Summary
=======
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and
configured for Multiprotocol Label Switching (MPLS) Virtual Private
Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and
using Border Gateway Protocol (BGP) between Customer Edge (CE) and
Provider Edge (PE) devices may permit information to propagate
between VPNs.
Workarounds are available to help mitigate this vulnerability.
=======
The Cisco ASA 5500 Series Adaptive Security Appliance is a modular
platform that provides security and VPN services. It offers firewall,
intrusion prevention system (IPS), anti-X, and virtual private
network (VPN) services.
Cisco ASA 5500 Series Adaptive Security Appliances are affected by
the following vulnerabilities:
Transparent Firewall Packet Buffer Exhaustion Vulnerability
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
=================
Caution: Do not disable remote management if administrators
manage devices via the WAN connection. This action will result in
a loss of management connectivity to the device. Several features
also require remote management to be enabled, including SSL VPN
access and the Cisco Quick Virtual Private Network (QVPN)
Utility.
Remote Management is disabled by default. Administrators can
disable this feature by choosing Network Management > Remote
Management. Change the setting for this field to Disabled.
Vendor description:
-------------------
The SonicWALL Global VPN Client offers an easy-to-use, easy-to-manage
Virtual Private Network (VPN) solution that provides users at
distributed locations with secure, reliable remote access via broadband,
wireless and dial-up connections.
[source: http://www.sonicwall.com/downloads/Global_VPN_DS_US.pdf]
Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that
run branches of Cisco IOS based on 12.2 can be vulnerable to a denial
of service vulnerability that can prevent any traffic from entering
an affected interface. For a device to be vulnerable, it must be
configured for Open Shortest Path First (OSPF) Sham-Link and Multi
Protocol Label Switching (MPLS) Virtual Private Networking (VPN).
This vulnerability only affects Cisco Catalyst 6500 Series or
Catalyst 7600 Series devices with the Supervisor Engine 32 (Sup32),
Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720)
modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B,
Supervisor 720-3BXL, Route Switch Processor 720, Route Switch
>>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>>> listening service configured in the client firewall and are therefore
>>> not affected by this vulnerability. Windows XP Service Pack 2 and
>>> later operating systems include a stateful host firewall that provides
>>> protection for computers against incoming traffic from the Internet or
>>> from neighboring network devices on a private network. ... Customers
>>> running Windows XP are at reduced risk, and Microsoft recommends they
>>> use the firewall included with the operating system, or a network
>>> firewall, to block access to the affected ports and limit the attack
>>> surface from untrusted networks."
>>>
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
|
