Two Cisco advisories: cisco-sa-20110330-nac and cisco-sa-20110330-acs

Two Cisco advisories: cisco-sa-20110330-nac and cisco-sa-20110330-acs
Normally two Cisco security advisories would warrant a "One-liner" of their existence, with URLs pointing to them. In this case eagle eye fellow handler Daniel noticed some of the wording in one of them. Its name is "Cisco Secure Access Control System Unauthorized Password Change Vulnerability" and it lives at: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml This is the summary: "A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store. " So essentially pretty much anyone can change anyone elses password, any time they feel like it, as long as they know the user account. So far so good. The interesting part comes next: "This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password." So, hypothetically speaking if I knew a user account, changed its password to one only I knew, could I not then start changing stuff? I would suppose that the account I changed would have to have privileges to make changes. Therefore, it must be impossible to guess or find any accounts that are able to make changes? There are some caveats: "This vulnerability cannot be used to change the password for the following types of users accounts: User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command" So which accounts does that leave that may be able to make changes? The other advisory summary "Cisco Network Access Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network. " is here: http://www.cisco.com/warp/public/707/cisco-sa-20110330-nac.shtml Comments? Cheers, Adrien de Beaupré Intru-shun.ca Inc.	Adrien de Beaupre 353 Posts ISC Handler Mar 30th 2011
Thread locked Subscribe	Mar 30th 2011 1 decade ago
"So which accounts does that leave that may be able to make changes?" As the ACS can be used as a RADIUS or TACACS+ server to store VPN user accounts, admin accounts for network hardware, application user accounts and many other types of accounts. For sites that are using single-factor password authentication, an attacker might gain VPN access to internal networks and/or to accounts used to manage servers, routers, switches, firewalls etc. or accounts that have access to confidential information. Of course this is just my understanding, based on the information in the vulnerability announcement. Does anyone else see it differently?	John 13 Posts
Quote	Mar 31st 2011 1 decade ago
John: That's my understanding as well. The accounts vulnerable are all the accounts that could be authenticated through the RADIUS service, except ACS system accounts and accounts stored in external databases. That's a lot for those who use RADIUS consistently.	John 4 Posts
Quote	Apr 1st 2011 1 decade ago

Normally two Cisco security advisories would warrant a "One-liner" of their existence, with URLs pointing to them. In this case eagle eye fellow handler Daniel noticed some of the wording in one of them. Its name is "Cisco Secure Access Control System Unauthorized Password Change Vulnerability" and it lives at: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml

This is the summary: "A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store. "

So essentially pretty much anyone can change anyone elses password, any time they feel like it, as long as they know the user account. So far so good. The interesting part comes next: "This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password."

So, hypothetically speaking if I knew a user account, changed its password to one only I knew, could I not then start changing stuff? I would suppose that the account I changed would have to have privileges to make changes. Therefore, it must be impossible to guess or find any accounts that are able to make changes? There are some caveats: "This vulnerability cannot be used to change the password for the following types of users accounts:

User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server
System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface
Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command"

So which accounts does that leave that may be able to make changes?

The other advisory summary "Cisco Network Access Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network. " is here: http://www.cisco.com/warp/public/707/cisco-sa-20110330-nac.shtml

Comments?

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Adrien de Beaupre

353 Posts
ISC Handler

Mar 30th 2011

"So which accounts does that leave that may be able to make changes?"

As the ACS can be used as a RADIUS or TACACS+ server to store VPN user accounts, admin accounts for network hardware, application user accounts and many other types of accounts. For sites that are using single-factor password authentication, an attacker might gain VPN access to internal networks and/or to accounts used to manage servers, routers, switches, firewalls etc. or accounts that have access to confidential information.

Of course this is just my understanding, based on the information in the vulnerability announcement. Does anyone else see it differently?

John

13 Posts

John:
That's my understanding as well. The accounts vulnerable are all the accounts that could be authenticated through the RADIUS service, except ACS system accounts and accounts stored in external databases.
That's a lot for those who use RADIUS consistently.

John
4 Posts