Organizations running certain Cisco VPN gear may be susceptible to a remote denial-of-service attack that could knock out network connections for teleworkers or traveling employees accessing a corporate network over the Internet.
A flaw in the Cisco VPN 3000 Concentrator could cause the device to reload or drop user connections if an attacker sends a specially-crafted HTTP packet to the device, the vendor says. A software upgrade is required to avoid the vulnerability, and several workarounds can be used to thwart potential attacks.
Cisco VPN 3000 concentrators are devices that terminate encrypted connections for remote end-users accessing a network via the Internet.
This latest vulnerability is another example of a potential exploit of HTTP running on Cisco devices. HTTP is used for Web-based management interfaces and is activated by default on VPN 3000 Concentrators, Cisco says.
VPN 3000 concentrators running version 4.7.0 through 4.7.2.A of the devices' software are affected by this vulnerability, Cisco says. Software prior to the 4.7 release are safe.
For the vulnerability to be exploited, the crafted HTTP packets must target the VPN 3000 Concentrator specifically, Cisco says. The device cannot be brought down by regular VPN traffic.
Cisco recommends disabling HTTP on the VPN box, and using Secure HTTP, or HTTPS, instead. Users must enable HTTPS before disabling regular HTTP, Cisco advises. Users can also set up access control lists (ACLs) to block external HTTP traffic from hitting the VPN 3000 Concentrator - since only trusted, internal users should access the devices' Web interface. Cisco says this is a best practice for all its devices with HTTP services, which include routers, switches and other gear.