Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:221164
HistoryJun 23, 2003 - 12:00 a.m.

Cisco VPN 3000 Concentrator vulnerable to DoS via large number of malformed ICMP packets

2003-06-2300:00:00
www.kb.cert.org
7

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.007 Low

EPSS

Percentile

80.8%

JSON

Overview

A vulnerability in some Cisco Virtual Private Network (VPN) products could allow a remote attacker to cause a denial of service.

Description

The Cisco VPN 3000 Series Concentrators and the Cisco VPN 3002 Hardware Clients are Virtual Private Network (VPN) platforms designed to provide secure remote network access. Some models of these devices contain a vulnerability by which a flood of malformed ICMP packets could result in performance degradation or cause the affected device to reboot.

Impact

A denial-of-service condition can result from degraded performance or unexpected rebooting of the affected device.

Solution

Cisco Systems Inc. has released software patches and workaround information for this vulnerability. Please see the vendor information section of this document for more details.

Workarounds

Filter malformed ICMP packets on network devices that are upstream from the affected VPN Concentrator device. Sites may wish to apply this workaround in conjunction with the application of the recommended patches. As a general rule, the CERT/CC recommends that sites block all types of network traffic that are not explicitly required for normal operation.

Vendor Information

221164

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco Systems Inc. __ Affected

Updated: May 08, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cisco Systems Inc. has released Cisco Security Advisory 20030507-vpn3k in response to this issue. Users are encouraged to review this advisory and apply the patches and workarounds it recommends.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23221164 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Cisco Systems Product Security Incident Response Team for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2003-0260
Severity Metric: 11.81 Date Public:

Related

cve 1
nessus 1
cisco 1
cve
cve
CVE-2003-0260
2003-05-27 04:00:00
nessus
nessus
Cisco VPN 3000 Series Multiple Vulnerabilities (CSCdea77143, CSCdz15393, CSCdt84906)
2003-05-07 00:00:00
cisco
cisco
Cisco VPN 3000 Concentrator Vulnerabilities
2003-05-07 16:00:00

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.007 Low

EPSS

Percentile

80.8%

JSON
Related for VU:221164
cve1nessus1cisco1