Cisco, vendors scramble to fix VPN vulnerablities

A vulnerability in virtual private networks (VPNs) from several large vendors could leave large parts of the internet open to denial of service attacks, numerous software companies warned Tuesday.

Scientists at Finland's University of Oulu first warned of the vulnerabilities to products from Cisco, Juniper, 3Com and other companies on Monday.

A joint advisory from the Finnish Communications Regulatory Authority and the British National Infrastructure Security Coordination Center said Tuesday that users should seek fixes from their vendors for this weakness.

"These flaws may expose denial of service conditions, format string vulnerabilities and buffer overflows," the advisory warned. "In some cases, it may be possible for an attacker to execute code." Cisco also warned users on Tuesday, saying it affected versions of its PIX Firewall, IOS and VPN 3000 Series Concentrators.

"Successful exploitation of the vulnerability on the Cisco MDS Series may result in the restart of the (internet key exchange) process," the vendor warned. "All other Cisco MDS device operations will continue normally."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.