[<prev] [next>] [day] [month] [year] [list]
Message-ID: <829173BE40A7F147AC51726688B0374B6B505C@xmb-rtp-203.amer.cisco.com>
Date: Mon, 22 Aug 2005 10:36:32 -0400
From: "Dario Ciccarone (dciccaro)" <dciccaro@...co.com>
To: <llhansen-bugtraq@...ms.edu>, <bugtraq@...urityfocus.com>
Subject: RE: Cisco Clean Access Agent (Perfigo) bypass
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is in response to the email posted by 'llhansen-bugtraq@...ms.edu'
on August 19, 2005.
The original email is available at
http://www.securityfocus.com/archive/1/408603/30/0/threaded .
Attached: a cleartext, PGP signed version of this same email.
Hi llhansen,
While it is correct that a user can modify the 'User-Agent' string
on access to the CCA Server authentication page in order to prevent
installation of the CCA Agent, there are some things that should be
clarified:
1) Users cannot bypass authentication irrespective of the value of
the 'User-Agent' string provided. Hence, there is no danger of
invalid users (users with no credentials or invalid credentials)
getting onto the network.
2) If there is the suspicion that a malicious user might try to
masquerade as non-Windows machines, e.g. Linux, in order to bypass
CCA Agent installation, the administrator can define Network Scanning
rules on the CCA Manager and use Nessus scans to determine the real
OS in use. This will catch users that are masquerading. For this, the
CCA administrator can either obtain the appropiate plug-ins from
Tenable or www.nessus.org - as an alternative, users can write and
integrate their own plugins.
3) Furthermore, if the malicious user installs a personal firewall or
similar software, in order to make the network scan timeout, CCA
provides options to quarantine the malicious user if the network scan
times out. Hence, such users can also get quarantined, following which
administrators can determine whether the user is masquerading or not.
CCA continues to evolve and include safeguards to prevent malicious
users from trying to bypass the checks in place.
Thank you for your work on this problem. As always, working with the
Cisco PSIRT team is the best way to verify the accuracy of information
before posting it publicly.
We do greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist with Product Security Advisories. Our ultimate goal is to ensure
that customers have accurate information on which to base upgrade and
workaround decisions and we welcome partnership with researchers
towards that goal.
Thanks,
Dario
Quidquid latine dictum sit, altum viditur
Dario Ciccarone
CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
dciccaro@...co.com
> -----Original Message-----
> From: llhansen-bugtraq@...ms.edu [mailto:llhansen-bugtraq@...ms.edu]
> Sent: Friday, August 19, 2005 12:30 PM
> To: bugtraq@...urityfocus.com
> Subject: Cisco Clean Access Agent (Perfigo) bypass
>
> Description:
> Cisco Clean Access is an easily deployed software solution
> that can automatically detect, isolate, and clean infected or
> vulnerable devices that attempt to access your network. It
> identifies whether networked devices such as laptops,
> personal digital assistants, even game consoles are compliant
> with your network's security policies and repairs any
> vulnerabilities before permitting access to the network.
>
> Vendor site:
> http://www.cisco.com/en/US/products/ps6128/
>
> Affected versions:
> This works in at least 3.5.3.1 and 3.5.4.
>
> Discovery Date:
> 2005-08-12
>
> Report Date:
> 2005-08-19
>
> Severity:
> Medium
>
> Vulnerability:
> End users can bypass the "mandatory" installation of the
> Clean Access Agent by changing the User-Agent string of their
> browser. This allows them to connect to the network without
> the host-based checks being run. If configured, remote checks
> are still run.
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQwni8IyVGB+6GuDwEQIruwCdF/lpHQCavH7KKNtYk2RGLycAyPkAoN1W
J9PSv19tU6lDJB39nR1Hiteg
=FrBo
-----END PGP SIGNATURE-----
Download attachment "cisco-bugtraq-cca-final.txt.asc" of type "application/octet-stream" (2557 bytes)
Powered by blists - more mailing lists