lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: 8 May 2006 18:29:52 -0000
From: research@...antec.com
To: bugtraq@...urityfocus.com
Subject: SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator
 Password Disclosure


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




                    Symantec Vulnerability Research                                   
                    https://www.symantec.com/research
                          Security Advisory

Advisory ID   : SYMSA-2006-003
Advisory Title: Cisco Secure ACS for Windows - Administrator 
                Password Disclosure
Author        : Andreas Junestam
Release Date  : 05-08-2006
Application   : Cisco Secure ACS 3.x for Windows
Platform      : Microsoft Windows
Severity      : System access / exploit available 
Vendor status : Vendor verified, workaround available
CVE Number    : CVE-2006-0561
Reference     : http://www.securityfocus.com/bid/16743


Overview: 

	Cisco Secure ACS is a central administration platform for 
	Cisco network devices. It controls authentication and 
	authorization for enrolled devices. Administrative 
	passwords for locally-defined users are stored in such a 
	way they can be obtained from the Windows registry. If 
	remote registry access is enabled, this can be done over 
	the network.

	If Cisco Secure ACS is configured to use an external 
	authentication service such as Windows Active Directory or
	LDAP, the passwords for users stored by those services are
	not vulnerable to this issue.


Details: 

	Cisco Secure ACS 3.x for Windows stores passwords for 
	administrative users in the registry. The passwords are 
	encrypted using the Crypto API Microsoft Base Cryptographic 
	Provider v1.0. Along with the passwords, ACS also stores 
	the key used to encrypt the information. This information 
	can easily be obtained locally by a Windows administrator, 
	and if remote registry access is enabled, it can be 
	obtained over the network. With this, the clear-text 
	passwords can be recovered by decrypting the information 
	in the registry with the supplied key. Access to these 
	passwords provides access to all Cisco devices controlled 
	by the ACS server.


Vendor Response:


	Cisco Secure ACS 3.x for Windows stores the passwords of 
	ACS administrators in the Windows registry in an encrypted 
	format. A locally generated master key is used to 
	encrypt/decrypt the ACS administrator passwords. The master
	key is also stored in the Windows registry in an encrypted 
	format. Using Microsoft cryptographic routines, it is 
	possible for a user with administrative privileges to a 
	system running Cisco Secure ACS to obtain the clear-text 
	version of the master key. With the master key, the user 
	can decrypt and obtain the clear-text passwords for all 
	ACS administrators. With administrative credentials to 
	Cisco Secure ACS, it is possible to change the password 
	for any locally defined users. This may be used to gain 
	access to network devices configured to use Cisco Secure 
	ACS for authentication.

	If remote registry access is enabled on a system running 
	Cisco Secure ACS, it is possible for a user with
	administrative privileges (typically domain administrators) 
	to exploit this vulnerability.

	If Cisco Secure ACS is configured to use an external 
	authentication service such as Windows Active Directory / 
	Domains or LDAP, the passwords for users stored by those 
	services are not at risk to compromise via this 
	vulnerability.

	This vulnerability only affects version 3.x of Cisco Secure 
	ACS for Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco 
	Secure ACS for UNIX are not vulnerable. Cisco Secure ACS 3.x 
	appliances do not permit local or remote Windows registry 
	access and are not vulnerable.
     
Workaround:

	It is possible to mitigate this vulnerability by 
	restricting access to the registry key containing the 
	ACS administrators' passwords. One feature of Windows 
	operating systems is the ability to modify the permissions 
	of a registry key to remove access even for local or 
	domain administrators. Using this feature, the registry 
	key containing the ACS administrators' passwords can be 
	restricted to only the Windows users with a need to 
	maintain the ACS installation or operate the ACS services.

	The following registry key and all of its sub-keys need to 
	be protected.

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators

	Note: The "CiscoAAAv3.3" portion of the registry key path
	may differ slightly depending on the version of Cisco Secure
	ACS for Windows that is installed.

	There are two general deployment scenarios for Cisco Secure
	ACS. The Windows users that need permissions to the registry
	key will depend on the deployment type.

	* If Cisco Secure ACS is not installed on a Windows domain 
	controller, access to the registry key should be limited to
	only the local Windows SYSTEM account and specific local / 
	domain administrators who will be performing software 
	maintenance on the ACS installation. 
	
	* If Cisco Secure ACS is installed on a Windows domain 
	controller, access to the registry key should be limited to 
	the domain account which ACS is configured to use for its 
	services, the local Windows SYSTEM account and specific 
	local / domain administrators who will be performing 
	software maintenance on the ACS installation.

	For information about editing the Windows registry, please 
	consult the following Microsoft documentation.

	"Description of the Microsoft Windows registry"

	http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986

	Further mitigation against remote exploitation can be 
	achieved by restricting access to authorized users or 
	disabling remote access to the Windows registry on systems
	running Cisco Secure ACS for Windows. For information on
	restricting remote registry access, please consult the
	following Microsoft documentation.

	"How to restrict access to the registry from a remote computer"

	http://support.microsoft.com/kb/q153183

	"How to Manage Remote Access to the Registry"

	http://support.microsoft.com/kb/q314837
	
Recommendation:
	
	Follow your organization's testing procedures before 
	applying patches or workarounds.  See Cisco's instructions
	on how to place an ACL on the Registry Key, and also how 
	to restrict remote access to the Windows registry.

	These recommendations do not eliminate the vulnerability, 
	but provide some mitigation.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.


	CVE-2006-0561

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@...antec.com

For details on Symantec's Vulnerability Reporting Policy: 
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive: 
http://www.symantec.com/research/  

Symantec Vulnerability Research PGP Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:
secure@...antec.com 

For general information on Symantec's Product Vulnerability 
reporting and response:
http://www.symantec.com/security/

Symantec Product Advisory Archive: 
http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

- ---------------------------------------------------------------

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted 
as long as it is not edited in any way unless authorized by 
Symantec Consulting Services. Reprinting the whole or part of 
this alert in any medium other than electronically requires 
permission from cs_advisories@...antec.com.

Disclaimer
The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use 
of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are 
registered trademarks of Symantec Corp. and/or affiliated companies 
in the United States and other countries. All other registered and 
unregistered trademarks represented in this document are the sole 
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe
vKVo3Si7ycswRs/2kiA997I=
=dkX3
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists