# # This script was written by Renaud Deraison # # See the Nessus Script License for details # # Thanks to Nicolas FISCHBACH (nico@securite.org) for his help # # Ref: http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml if(description) { script_id(11294); script_version("$Revision$"); name["english"] = "CSCdw50657"; script_name(english:name["english"]); desc["english"] = " The remote VPN concentrator discloses the certificate passwords of its users in the source HTML pages of the embedded web server. This vulnerability is documented as Cisco bug ID CSCdw50657. Solution : http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml Risk factor : Medium *** As Nessus solely relied on the banner of the remote host *** this might be a false positive "; script_description(english:desc["english"]); summary["english"] = "Uses SNMP to determine if a flaw is present"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2003 Renaud Deraison"); script_family(english:"CISCO"); script_dependencie("snmp_sysDesc.nasl"); script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model"); script_require_ports("Services/www", 80); exit(0); } # The code starts here ok=0; os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0); port = get_kb_list("Services/www"); if(isnull(port)) { if(!get_port_state(80))exit(0); soc = open_sock_tcp(80); if(!soc)exit(0); else close(soc); } # Is this a VPN3k concentrator ? if(!egrep(pattern:".*VPN 3000 Concentrator.*", string:os))exit(0); # < 3.5.2 if(egrep(pattern:".*Version 3\.5\.Rel.*", string:os))ok = 1; if(egrep(pattern:".*Version 3\.5\.[0-1].*", string:os))ok = 1; # < 3.1.x if(egrep(pattern:".*Version 3\.1\.*", string:os))ok = 1; # 3.0.x if(egrep(pattern:".*Version 3\.0\..*", string:os))ok = 1; # 2.x.x if(egrep(pattern:".*Version 2\..*", string:os))ok = 1; if(ok)security_warning(port:161, proto:"udp");