Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cisco Warns Of Vulnerability In VPN Device

Cisco Systems on Friday released a security advisory about its VPN 3000 Series concentrators, which have a vulnerability that could allow a malicious user to send a crafted HTTP packet that could result in a denial-of-service attack.

Cisco has made free software available to address the vulnerability for affected customers, and has provided workarounds. The HTTP used for this type of Web-based management interface is activated by default on the VPN 3000 concentrators, but Cisco recommends disabling it to mitigate the vulnerability. With HTTP disabled, the concentrator can be configured to use HTTPS (HyperText Transfer Protocol Secure). HTTPS must be enabled before disabling HTTP.

VPN 3000 concentrators running version 4.7.0 through 4.7.2.A of the equipment's software are affected by this vulnerability. Prior software is safe.

Such vulnerabilities in Cisco VPN equipment have been discovered before, but customers should always make sure they are up to date on the latest patches and workarounds, said Tom Duffy, president and CEO of igxglobal, a Rock Hill Conn.- based network security solution provider.

“They should check their systems anytime a patch is issued," Duffy said.

  • 1