Cisco Systems released two security advisories on Wednesday warning about vulnerabilities in its firewall and VPN products.
The networking manufacturer addressed two problems in its VPN 3000 Series concentrators that could allow attackers to execute certain File Transfer Protocol (FTP) commands and delete files on the concentrator. Both authenticated and unauthenticated attackers can exploit the flaws, though they don't allow unauthorized users to transfer files to or from the concentrators.
All six versions in the series are affected by the vulnerabilities, though they are only open to attack if they are running a vulnerable software version and if the concentrator is configured to use FTP as a management protocol. Many IT shops are expected to be affected, as FTP is enabled by default. The vulnerable software versions include any version prior to 4.1, any 4.1.x version prior to and including 4.1(7)L and any 4.7.x version prior to and including 4.7(2)F. Cisco recommends businesses download updated versions of the software, but if this is not possible, the company suggests working around the problem by disabling or limiting FTP access.
In addition to the concentrator patch, Cisco also released an advisory about a vulnerability in multiple firewall versions that allows for the EXEC password, passwords of locally defined usernames, and the enable password in the startup configuration to be changed without user intervention. This bug affects Cisco PIX 500 Series Security Appliances, the Cisco ASA 5500 Series Adaptive Security Appliances (ASA), and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Switches and Cisco 7600 Series Routers.
An attacker could exploit the flaw to obtain unauthorized access after passwords have been changed and to lock out authorized users from affected devices.
Unauthorized users can take advantage of this bug to try to gain access to a device that has been reloaded after passwords in its startup configuration have been changed. In addition, authorized users can be locked out and lose the ability to manage the affected device. The bug can be triggered in two ways: either during a software crash or when two or more users make concurrent changes to the configuration of the device.
Cisco has not yet released a patch to fix the flaw, but it did publish multiple suggestions in the advisory for workarounds in the meantime.