From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 7 Jan 2007 18:15:39 +0200
Subject: [NEWS] Multiple Vulnerabilities in Cisco Secure Access Control Server
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070107154916.D8A985840@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in Cisco Secure Access Control Server
------------------------------------------------------------------------
SUMMARY
Certain versions of Cisco Secure Access Control Server (ACS) for Windows
and the Cisco Secure ACS Solution Engine (here after both referred to as
purely Cisco Secure ACS) are affected by multiple vulnerabilities that
cause specific Cisco Secure services to crash. Two of the vulnerabilities
may permit arbitrary code execution after exploitation of the specified
vulnerability.
DETAILS
Vulnerable Products:
The following products are vulnerable to one or more of the
vulnerabilities, when running software versions prior to 4.1:
* Cisco Secure Access Control Server for Windows
* Cisco Secure Access Control Server Solution Engine
To determine if you are running a vulnerable version of Cisco Secure ACS,
first log into the Web administrative session for Cisco Secure ACS and on
the home page at the bottom section of the screen will be the release
information. The following example would be seen when running Cisco Secure
ACS software version 4.0(1) Build 27:
CiscoSecure ACS
ACS software version 4.0(1) Build 27:
Copyright information is seen underneath this information.
Products Confirmed Not Vulnerable:
* Cisco Secure ACS for Unix (CSU).
* Cisco CNS Access Registrar (CAR).
* Cisco Secure ACS server for Windows version 4.1(X) or later.
* Cisco Secure ACS server solution Engine version 4.1(X) or later.
Affected Cisco Secure ACS services, and the impact of the vulnerabilities
are as follows:
* Specially Crafted HTTP GET Request Vulnerability: Processing a
specially crafted HTTP GET request may crash the CSAdmin service. This
vulnerability is also susceptible to a stack overflow condition.
* Specially Crafted RADIUS Accounting-Request Vulnerability: Processing a
specially crafted RADIUS Accounting-Request packet may crash the CSRadius
service. This vulnerability is also susceptible to a stack overflow
condition.
* Specially Crafted RADIUS Access-Request Vulnerabilities: Processing a
specially crafted RADIUS Access-Request packet may crash the CSRadius
service.
Details:
Cisco Secure ACS is a scalable, high-performance Remote Access Dial-In
User Service (RADIUS) and Terminal Access Controller Access Control System
Plus (TACACS+) security server.
Multiple vulnerabilities exist in certain versions of the Cisco Secure ACS
that may cause the services CSAdmin or CSRadius to crash.
CSAdmin is the service that provides the web server for the ACS web
administration interface.
CSRadius is the service that communicates between the CSAuth module (the
authentication and authorization service) and the access device that is
requesting authentication and authorization services.
Specially Crafted HTTP GET Request Vulnerability:
This vulnerability is exploited by processing a specially crafted HTTP GET
request. Upon successful exploitation, the CSAdmin service may crash. This
vulnerability is also susceptible to a stack based overflow condition
which may allow arbitrary code execution if successfully exploited.
If this vulnerability is successfully exploited, the CSAdmin service will
require a manual restart of the service. Normal Authentication,
Authorization and Accounting (AAA) processing will continue.
While CSAdmin is in the stopped state, users cannot access the Cisco
Secure ACS administrative interface from any computer other than the
Windows server or appliance on which it is running. With Cisco Secure ACS
for Windows you can start or stop CSAdmin from the Windows Control Panel.
With Cisco Secure ACS Solution Engine, you can restart the service by
using only the appliance serial console.
For further details on starting the CSAdmin service please refer to:
<http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/a_arch.htm#wp7264> http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/a_arch.htm#wp7264
This vulnerability is documented in Cisco Bug ID:
*
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd96293>;
CSCsd96293 -
Stack based overflow within CSAdmin when processing HTTP GET request
Specially Crafted RADIUS Accounting-Request Vulnerability:
This vulnerability is exploited by processing a specially crafted RADIUS
Accounting-Request packet. Upon successful exploitation, the CSRadius
service may crash and an exception trap error will be generated for the
CSRadius service within the Windows Event Viewer System log. This
vulnerability is also susceptible to a stack based overflow condition
which may allow arbitrary code execution if successfully exploited.
The RADIUS secret key that is shared between the Network Access Server
(NAS) and the Cisco Secure ACS server and/or appliance is required to
exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID:
*
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse18278>;
CSCse18278 - Stack based overflow within CSRadius when processing
Accounting-Request. (CVE-2006-4098)
Specially Crafted RADIUS Access-Request Vulnerabilities:
Several vulnerabilities exist in Cisco Secure ACS that may cause the
CSRadius service to crash when processing a specially crafted RADIUS
Access-Request packet. These vulnerabilities will not allow arbitrary code
execution after successful exploitation. An exception trap error will be
recorded within the CSRadius log file and an error will be seen for the
CSRadius service within the Windows Event Viewer System log after
successful exploitation.
The RADIUS secret key that is shared between the Network Access Server
(NAS) and the Cisco Secure ACS server and/or appliance is not required to
exploit these vulnerabilities.
These vulnerabilities are documented in Cisco Bug IDs:
*
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse18250>;
CSCse18250 - CSRadius Service crashes when processing a specially crafted
Access-Request packet. (CVE-2006-4097)
*
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeg04788>;
CSCeg04788 - CSRadius Service crashes when processing a specially crafted
Access-Request packet.
*
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeg04666>;
CSCeg04666 - CSRadius Service crashes when processing a specially crafted
Access-Request packet.
Impact:
Specially Crafted HTTP GET Request Vulnerability:
Successful exploitation may result in the web administrative interface
being unavailable until the CSAdmin Service is restarted from windows
control panel. Normal Authentication, Authorization and Accounting (AAA)
processing will continue. This vulnerability may allow arbitrary code
execution if successfully exploited.
Specially Crafted RADIUS Accounting-Request Vulnerability:
Successful exploitation may result in RADIUS Authentication, Authorization
and Accounting processing to not be performed until the CSRadius service
is restarted. TACACS+ Authentication, Authorization and Accounting (AAA)
processing will continue. Repeated exploitation could result in a
sustained Denial-of-Service (DoS) condition of the RADIUS AAA services.
This vulnerability may allow arbitrary code execution if successfully
exploited.
Specially Crafted RADIUS Access-Request Vulnerabilities:
Successful exploitation may result in RADIUS Authentication, Authorization
and Accounting processing to not be performed as the CSRadius service
restarts. TACACS+ Authentication, Authorization and Accounting (AAA)
processing will continue. Repeated exploitation could result in a
sustained Denial-of-Service (DoS) condition of the RADIUS AAA services.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
