Cisco has acknowledged a vulnerability in its 3000-series virtual private network concentrators running WebVPN.
Cisco is now trying to ascertain whether a recently released patch addressed the problem. The company has set up a test installation of the concentrator running the problematic patch to test the vulnerability and see whether administrators can retain console access to the box.
The vulnerability is described as obscure, but the exploit could see a relatively small stream directed to TCP/80 cause a concentrator running the WebVPN service to drop all its connections.
Members of Cisco's product security incident response team suspect the problem might be triggered by either of two separate vulnerabilities, either causing the dropped connections.
Cisco said its product security incident response team has been working on the issue. It suggested its customers should take steps outlined in the current security advisory to protect themselves from the potential impact of the vulnerability.
The company has already attempted to patch the vulnerability in the past, most recently in its 4.7.2B release.
It’s not a good sign when a supplier acknowledges a vulnerability, and essentially says, “We’ll get back to you.” Test installations, an ‘obscure problem’ and previous patch attempts spell
uncertainty and security headaches.