Date: 30 Aug 2004 16:46:48 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NEWS] Cisco Secure Access Control Server (ACS) Multiple DoS and Authentication Vulnerabilities
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Secure Access Control Server (ACS) Multiple DoS and Authentication
Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/>; Cisco Secure
Access Control Server "for Windows (ACS Windows) and Cisco Secure Access
Control Server Solution Engine (ACS Solution Engine) provide
authentication, authorization, and accounting (AAA) services to network
devices such as a network access server, Cisco PIX and a router".
This advisory documents multiple Denial of Service (DoS) and
authentication related vulnerabilities for the ACS Windows and the ACS
Solution Engine servers.
DETAILS
Vulnerable Systems:
* Cisco Secure ACS versions 3.2(3) and earlier are vulnerable to
CSCef05950 and CSCed81716
* Cisco Secure ACS version 3.2(2) build 15 is vulnerable to CSCeb60017
* Cisco Secure ACS version 3.2 is vulnerable to CSCec90317 and CSCec66913
* Cisco Secure ACS is vulnerable to CSCed81716
Immune Systems:
* Cisco Secure ACS for UNIX
Note: Successfully authenticate to your ACS box to determine your software
revision. After you perform the authentication, the first screen displays
the current ACS version in this format-CiscoSecure ACS Release 3.2(3)
Build 11. ACS versions may also be displayed as 003.002(003.011), where
"011" is the build number referenced on the ACS graphical user interface
(GUI).
The vulnerabilities mentioned above are described in better detail in the
following paragraphs:
* CSCeb60017 and CSCec66913 - Cisco Secure ACS provides a Web-based
management interface, termed CSAdmin, which listens on TCP port 2002. When
flooded with TCP connections the ACS Windows and ACS Solution Engine stops
responding to any new TCP connections destined for port 2002.
Additionally, services on the ACS that process authentication related
requests might become unstable and stop responding, which hampers the
ability for ACS to process any authentication related requests. A reboot
of the device is required to restore these services.
* CSCec90317 - Cisco Secure ACS, when configured for Light Extensible
Authentication Protocol (LEAP) RADIUS Proxy, forwards LEAP authentication
requests to a secondary RADIUS server. The ACS device with LEAP RADIUS
proxy configured may crash when LEAP authentication requests are being
processed. A reboot is required to bring the device back to an operational
state.
* CSCed81716 - Cisco Secure ACS can communicate with external databases
and authenticate users against those databases. One of the external
databases that ACS supports is Novell Directory Services (NDS). If an
anonymous bind in NDS is allowed, and if the ACS Solution Engine is
authenticating NDS users with NDS as the external database and not Generic
LDAP, then users are able to authenticate with blank passwords against
that NDS database. However, wrong passwords and incorrect usernames are
properly rejected.
* CSCef05950 - Once a user successfully authenticates to the ACS GUI on
TCP port 2002, a separate TCP connection is created between the browser
and ACS administration Web service, with a random destination port. If an
attacker spoofs the IP address of the user computer, and accesses the ACS
GUI on this random port, then the attacker may be able to connect to the
ACS GUI, bypassing authentication. Authentication to the ACS server may
also be bypassed if the attacker is behind the same PAT device as that of
the ACS user and accesses the ACS GUI on this random port.
Impact
* CSCeb60017, CSCec66913, and CSCec90317 - These vulnerabilities may
cause a crash impacting the availability of services on the ACS devices.
Until the device is rebooted a DoS is the result.
* CSCed81716 - This vulnerability may allow unauthorized users to access
AAA clients without an effective password (using blank passwords) if the
bind to the NDS database is anonymous.
* CSCef05950 - This vulnerability may allow unauthenticated users to gain
access to the ACS Administration GUI.
Patch Availability:
The above mentioned vulnerabilities have already been fixed by Cisco.
Users are encouraged to perform upgrade procedures, as indicated:
* ACS Windows version 3.3 -
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_installation_guide09186a0080238b18.html#wp998991> http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_installation_guide09186a0080238b18.html#wp998991
* ACS Windows 3.2 -
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_installation_guide09186a0080184928.html#wp9472> http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_installation_guide09186a0080184928.html#wp9472
* ACS Solution Engine -
<http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204d45.html#wp911224> http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204d45.html#wp911224
Possible Workarounds:
* Configure an IP address filter on ACS Windows and ACS Solution Engine
to limit the exposure of these vulnerabilities. From within the ACS GUI,
browse to Administration Control > Access Policy to limit access to only
the machines that need to administer the ACS remotely.
* Apply access control lists (ACLs) on routers, switches and firewalls
that filter traffic to the ACS so that traffic is only allowed from
stations that need to remotely administer the box. Refer to
<http://www.cisco.com/warp/public/707/tacl.html>;
http://www.cisco.com/warp/public/707/tacl.html for examples on how to
apply ACLs on Cisco routers.
* As a best practice, use HTTPS to limit access to the Cisco ACS GUI.
Issues detailed in CSCef05950 still exist when you use HTTP instead of
HTTPS to access the Cisco ACS GUI.
Refer to
<http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/a.htm#wp89030> http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/a.htm#wp89030 for information on how to set up an access policy on the Cisco ACS.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20040825-acs.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20040825-acs.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
