Date: Wed, 03 Sep 2008 17:04:16 +0200
From: Laurent Butti <laurent.butti@orange-ftgroup.com.>
To: [email protected]Subject: Cisco Secure ACS EAP Parsing Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 03 Sep 2008 15:02:25.0820 (UTC) FILETIME=[1381B5C0:01C90DD6]
X-Virus-Scanned: antivirus-gw at tyumen.ru
Title:
* Cisco Secure ACS does not correctly parse the length of EAP-Response
packets which allows remote attackers to cause a denial of service and
possibly execute arbitrary code
Summary:
* A remote attacker (acting as a RADIUS client) could send a specially
crafted EAP Response packet against a Cisco Secure ACS server in such a
way as to cause the CSRadius service to crash (reliable). This bug may
be triggered if the length field of an EAP-Response packet has a certain
big value, greater than the real packet length. Any EAP-Response can
trigger this bug: EAP-Response/Identity, EAP-Response/MD5,
EAP-Response/TLS...
Affected Products:
* All versions of Cisco Secure ACS that support EAP, to be more precise,
check the Cisco Advisory cisco-sr-20080903-csacs
Assigned CVE:
* CVE-2008-2441
Details:
* An EAP packet is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Identity...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* For example, the following packet will trigger the vulnerability and
crash CSRadius.exe:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | 0 | 0xdddd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | abcd
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Attack Impact:
* Denial-of-service and possibly remote arbitrary code execution
Attack Vector:
* Have access as a RADIUS client (knowing or guessing the RADIUS shared
secret) or from an unauthenticated wireless device if the access point
relays malformed EAP frames
Timeline:
* 2008-05-05 - Vulnerability reported to Cisco
* 2008-05-05 - Cisco acknowledged the notification
* 2008-05-05 - PoC sent to Cisco
* 2008-05-13 - Cisco confirmed the issue
* 2008-09-03 - Coordinated public release of advisory
Credits:
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange
