Cisco Systems recommends users of its Secure Access Control Server and Access Control Server Solution Engine apply patches against multiple vulnerabilities an attacker could use to cause a denial of service or bypass user authentication.
The San Jose, Calif.-based network giant, stressing the importance of applying the patches, described the equipment's multiple functions in its advisory: "Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) provides authentication, authorization, and accounting (AAA) services to network devices such as a network access server, Cisco PIX and a router."
Copenhagen, Denmark-based security firm Secunia described four vulnerabilities in its advisory. The first is a connection handling flaw in CSAdmin, the web-based management interface. This causes the interface to stop answering requests when it's flooded with TCP connections. Other services that process authentication-related requests could also lose stability or stop responding as a result. This vulnerability affects version 3.2(2) build 15.
The second is that an error in the processing of light extensible authentication protocol (LEAP) authentication requests can be exploited to crash a vulnerable device. Successful exploitation of this vulnerability, which affects version 3.2, requires that the device has been configured as a LEAP RADIUS proxy.
The third is an authentication error in the handling of Novell directory services (NDS). "Users can be exploited to be authenticated against a NDS database by supplying a valid username and a blank password. Successful exploitation requires that an anonymous bind is allowed in NDS, and NDS users are authenticated with NDS as an external database," Secunia said. This affects versions 3.2(3) and prior of the ACS solution engine.
The fourth problem is that an authentication error in the ACS administration Web service could allow bypassing of the authentication. "The problem is that an ACS GUI is created on a random port when a user is successfully authenticated, following only the user's IP address. It is used to confirm the user's identity when accessing this GUI," Secunia said. "This can be exploited to bypass the user authentication by accessing the ACS GUI created on a random port with a spoofed IP address matching an authenticated user." This affects versions 3.2(3) and prior.
The security holes only affect Cisco Secure ACS for Windows and the Cisco Secure ACS Solution Engine.
While Cisco recommends users apply the patches, it offered three workarounds for those who can't patch right away:
- Configure an IP address filter on ACS Windows and ACS Solution Engine to limit the exposure of these vulnerabilities. From within the ACS GUI, browse to "Administration Control > Access Policy" to limit access to only the machines that need to administer the ACS remotely.
- Apply access control lists (ACLs) on routers, switches and firewalls that filter traffic to the ACS so that traffic is only allowed from stations that need to remotely administer the box. Click here for examples on how to apply ACLs on Cisco routers.
- As a best practice, use https to limit access to the Cisco ACS GUI. Vulnerabilities still exist when using http instead of https to access the Cisco ACS GUI.