Cisco Systems Inc. Wednesday patched flaws attackers could exploit in several firewall and VPN products to tamper with files, cause a denial of service and bypass security restrictions, including password settings.
The San Jose, Calif.-based networking giant said two flaws appear in Cisco VPN 3000 Series concentrators when file management is enabled via the File Transfer Protocol (FTP). Authenticated or unauthenticated attackers could exploit them to execute certain FTP commands and delete files on the concentrator.
Specifically, the flaws affect Cisco VPN 3000 Series concentrators 3005, 3015, 3020, 3030, 3060, and the 3080, if they are running a vulnerable software version and if the concentrator is configured to use FTP as a management protocol. FTP is enabled by default, Cisco said.
The vulnerable software versions include any version prior to 4.1, any 4.1.x version prior to, and including 4.1(7)L and any 4.7.x version prior to and including 4.7(2)F.
Meanwhile, attackers could tamper with passwords by exploiting another flaw in the following products:
- Cisco PIX 500 Series security appliances
- ASA 5500 Series Adaptive Security Appliances (ASA)
- Firewall Services Module (FWSM)
"Certain versions of the software for the Cisco PIX 500 Series security appliances, the Cisco ASA 5500 Series Adaptive Security Appliances (ASA), and the Firewall Services Module (FWSM) are affected by a software bug that may cause the 'EXEC' password, passwords of locally defined usernames and the 'enable' password in the startup configuration to be changed without user intervention," Cisco said.
Unauthorized users could exploit the flaw to try and gain access to a device that has been reloaded after passwords in its startup configuration have been changed, the company added. Authorized users could be locked out and lose the ability to manage the affected device as a result.
Cisco PIX 500 Series security appliances, ASA 5500 Series Adaptive Security Appliances and the Firewall Services Module (FWSM) for Catalyst 6500 Switches and 7600 Series Routers are affected if they are running an affected software version, the vendor said.
PIX 500 Series security appliances and ASA 5500 Series Adaptive Security Appliances are affected when running:
- Any version (including interim versions) in the 7.0(x) train up to and including 7.0(5)
- Any version (including interim versions) in the 7.1(x) train up to and including 7.1(2.4)
FWSM for the Catalyst 6500 Switches and 7600 Series Routers are affected when running any version (including interim versions) in the 3.1(x) train up to and including 3.1(1.6).