Normally two Cisco security advisories would warrant a "One-liner" of their existence, with URLs pointing to them. In this case eagle eye fellow handler Daniel noticed some of the wording in one of them. Its name is "Cisco Secure Access Control System Unauthorized Password Change Vulnerability" and it lives at: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml This is the summary: "A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store. " So essentially pretty much anyone can change anyone elses password, any time they feel like it, as long as they know the user account. So far so good. The interesting part comes next: "This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password." So, hypothetically speaking if I knew a user account, changed its password to one only I knew, could I not then start changing stuff? I would suppose that the account I changed would have to have privileges to make changes. Therefore, it must be impossible to guess or find any accounts that are able to make changes? There are some caveats: "This vulnerability cannot be used to change the password for the following types of users accounts:
So which accounts does that leave that may be able to make changes? The other advisory summary "Cisco Network Access Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network. " is here: http://www.cisco.com/warp/public/707/cisco-sa-20110330-nac.shtml Cheers,
|
Adrien de Beaupre 353 Posts ISC Handler Mar 30th 2011 |
Thread locked Subscribe |
Mar 30th 2011 1 decade ago |
"So which accounts does that leave that may be able to make changes?"
As the ACS can be used as a RADIUS or TACACS+ server to store VPN user accounts, admin accounts for network hardware, application user accounts and many other types of accounts. For sites that are using single-factor password authentication, an attacker might gain VPN access to internal networks and/or to accounts used to manage servers, routers, switches, firewalls etc. or accounts that have access to confidential information. Of course this is just my understanding, based on the information in the vulnerability announcement. Does anyone else see it differently? |
John 13 Posts |
Quote |
Mar 31st 2011 1 decade ago |
John:
That's my understanding as well. The accounts vulnerable are all the accounts that could be authenticated through the RADIUS service, except ACS system accounts and accounts stored in external databases. That's a lot for those who use RADIUS consistently. |
John 4 Posts |
Quote |
Apr 1st 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!