lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <26563eca0606230618t62d52177ifac0890115cfca49@mail.gmail.com>
Date: Fri, 23 Jun 2006 09:18:51 -0400
From: "Darren Bounds" <dbounds@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Cisco Secure ACS Weak Session Management
	Vulnerability


Cisco Secure ACS Weak Session Management Vulnerability
June 23, 2006

Product Overview:
Cisco Secure Access Control Server (ACS) provides a centralized
identity networking solution and simplified user management experience
across all Cisco devices and security management applications.

Cisco Secure ACS is a major component of Cisco trust and identity
networking security solutions. It extends access security by combining
authentication, user and administrator access, and policy control from
a centralized identity networking framework, thereby allowing greater
flexibility and mobility, increased security, and user productivity
gains.

Vulnerability Details:
A vulnerability has been identified in the Cisco Secure ACS session
management architecture which could be exploited by an attacker to
obtain full administrative access to the web interface and thus all
managed assets (routers, switches, 802.1x authenticated networks,
etc).

By default, the Cisco Secure ACS web administration login page runs on
TCP port 2002. Upon successful authentication, the client is then
redirected to a dynamicand unique HTTP server port between 1024 and
65535. Once authenticated, ACS relies solely upon the port and the
client IP address to validate the session.

Clearly one can think of many somewhat trivial techniques for
acquiring the necessary IP address or senarios where the attacker may
already share the same source IP as the administrator (proxies, NATing
devices). Now it's merely a matter of identifying the port allocated
for the administrative interface. This is easily accomplished as ACS
follows a simple incrementation process for port allocation.

Affected Versions:
Cisco Secure ACS 4.x for Windows
Legacy versions may also be affected.

Workarounds:
Configure ACLs within Cisco Secure ACS to restrict access to the web
interface from only 'secure' network address space.

Cisco has confirmed this vulnerability and is working on a patch.

References:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html


-- 

Thank you,
Darren Bounds

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ