Detections
Analytics

Cisco IOS Software WebVPN and SSLVPN Vulnerabilities - Cisco Systems

high Nessus Plugin ID 49036

Language:

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:

 - Crafted HTTPS packet will crash device.
 (CVE-2009-0626)

 - SSLVPN sessions cause a memory leak in the device.
 (CVE-2009-0628)

Cisco has released free software updates that address these vulnerabilities.
There are no workarounds that mitigate these vulnerabilities.

Solution

Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20090325-webvpn.

See Also

http://www.nessus.org/u?a91cd0e5

http://www.nessus.org/u?604ac742

Plugin Details

Severity: High

ID: 49036

File Name: cisco-sa-20090325-webvpnhttp.nasl

Version: 1.21

Type: combined

Family: CISCO

Published: 9/1/2010

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: cpe:/o:cisco:ios

Required KB Items: Host/Cisco/IOS/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 3/25/2009

Vulnerability Publication Date: 3/25/2009

Reference Information

CVE: CVE-2009-0626, CVE-2009-0628

BID: 34239