CVE-2002-0848

Name of the Vulnerable Software and Affected Versions: Cisco VPN 5000 series concentrator hardware versions 6.0.21.0002 and earlier Cisco VPN 5000 series concentrator hardware versions 5.2.23.0003 and earlier

Description: The issue allows remote attackers to steal passwords via sniffing because the user password is sent in cleartext in a validation retry request when using RADIUS with a challenge type of Password Authentication Protocol (PAP) or Challenge.

Recommendations: For versions 6.0.21.0002 and earlier, consider disabling the use of Password Authentication Protocol (PAP) or Challenge with RADIUS until a fix is available. For versions 5.2.23.0003 and earlier, consider disabling the use of Password Authentication Protocol (PAP) or Challenge with RADIUS until a fix is available. As a temporary workaround, restrict access to the RADIUS authentication mechanism to minimize the risk of exploitation.