COMMAND

    Cisco

SYSTEMS AFFECTED

    VPN3000 Concentrator

PROBLEM

    Following is based on a Cisco Security Advisory.  Sending a  flood
    of data to the SSL or regular telnet port can cause the Cisco  VPN
    3000  series  concentrators  to  reboot.   After  rebooting,   the
    equipment would function normally until the flood of data is  sent
    again.   To  remove  the  vulnerability,  Cisco  is  offering free
    software upgrades to revision  3.0.00 for all affected  platforms.
    The defect is described in DDTS record CSCds90807.

    Cisco VPN 3000 series  concentrators running software releases  up
    to  but  not  including  version  3.0.00  are  affected  by   this
    vulnerability.   This  series  includes  models  3005, 3015, 3030,
    3060, and  3080.   Any model  running version  3.0.00 or  later is
    unaffected.

    This  vulnerability   does  not   affect  the   VPN  5000   series
    concentrators.   No  other  Cisco  product  is  affected  by  this
    vulnerability.

    The vulnerability occurs because the SSL or regular telnet session
    does not disconnect after repeated failed attempts and the  system
    keeps  trying  to  interpret  the  data  coming  in  on the SSL or
    regular telnet port.  Therefore, data coming in at an uncontrolled
    rate can flood the telnet  queues causing a shortage of  memory on
    the system resulting in a reboot.  This has been fixed by ensuring
    that a  SSL or  regular telnet  session is  terminated after three
    repeated failed attempts.  The vulnerability is documented as DDTS
    CSCds90807.

    Sending a  flood of  data to  the SSL  or regular  telnet port can
    cause  the  VPN  3000  series  concentrators  to  reboot.    While
    reloading,  the  device  cannot  handle  any  traffic.  Repeatedly
    causing the affected device to  reload will result in a  denial of
    service, thus affecting the availability of the device.

    SSL  and  regular  telnet  service  on  the  external interface is
    disabled by default.

SOLUTION

    The vulnerability has been fixed in revision 3.0.00 code.  The fix
    will be carried forward into all future releases.

    The vulnerability can be avoided by disabling all Telnet access to
    the equipment until you upgrade.   There are two ways to  disallow
    telnet on any given interface -  you can use a filter whose  rules
    don't allow telnet, or by creating a rule that specifically denies
    telnet  access  and  applying  that  to  your  existing filter(s).
    Further details can be found at the this URL

        http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/vpn3kco/vcoug/usrguide/polmgt.htm

    After  disabling  SSL  and  regular  telnet  the  equipment can be
    managed via the console port or via browser access.