Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition for targeted users of the AnyConnect service on an affected device. This vulnerability is due to insufficient entropy for handlers that are used during SSL VPN session establishment. An unauthenticated attacker could exploit this vulnerability by brute forcing valid session handlers. An authenticated attacker could exploit this vulnerability by connecting to the AnyConnect VPN service of an affected device to retrieve a valid session handler and, based on that handler, predict further valid session handlers. The attacker would then send a crafted HTTPS request using the brute-forced or predicted session handler to the AnyConnect VPN server of the device. A successful exploit could allow the attacker to terminate targeted SSL VPN sessions, forcing remote users to initiate new VPN connections and reauthenticate.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Cisco AnyConnect VPN 安全漏洞
Vulnerability Description
Cisco AnyConnect VPN是美国思科(Cisco)公司的一种虚拟专用网络(VPN)客户端,它支持远程用户通过 SSL VPN 和 IPSec VPN 连接到企业网络。 Cisco AnyConnect VPN存在安全漏洞,该漏洞源于 VPN 身份验证过程中使用的处理程序的熵值较弱以及同一过程中存在的竞争条件。允许未经身份验证的远程攻击者对受影响设备上的 AnyConnect VPN 服务造成拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A