lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44F4BDB1.8030805@feise.com>
Date: Tue, 29 Aug 2006 15:20:33 -0700
From: Joe Feise <jfeise@...se.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability

Hello,

This is an answer to Cisco's response to our advisory entitled "NAC agent
installation bypass".

We appreciate Cisco's answer to our advisory and the confirmation of the
validity of our approach.

We like to address some of the points Eloy Paris from Cisco makes in
his answer.

Eloy Paris wrote on 08/26/06 13:31:
<...>

> While it is possible to bypass the mandatory agent installation by
> following the steps in the advisory, it should be noted that:
> 
> 1) Users cannot bypass authentication using the approach described in
> the advisory. Accordingly, unauthorized users (i.e., users with no
> credentials or invalid credentials) will not be able to gain access to
> the network using such approach.


Our advisory explicitly addressed bypassing the CCA Agent installation only.
Authentication is orthogonal to our concern, and is not affected by our approach.

> 2) If an administrator is concerned that users might attempt to
> bypass CCA Agent installation by masquerading a Windows machine as a
> non-Windows machine (e.g., Linux, MacOSX, etc.), the administrator can
> define Network Scanning rules on the CCA Manager and use network scans
> to perform additional OS-specific checks. This process should detect
> users attempting to masquerade their Windows machines as non-Windows
> machines.


Such network scanning can be rendered useless in a trivial manner by connecting
Windows machines to the network through a Linux-based router, such as the ones
produced by Cisco's subsidiary Linksys.

> 4) Customers can also manually install either the CCA Agent software
> or the CCA Agent Installation stub (available in CCA version 4.0.0 and
> above) on end-user Windows machines, instead of using the OS detection
> routines. This will completely prevent the agent installation bypass
> described in the advisory from Andreas Gal and Joachim Feise.


This is a possible approach, particularly in corporate settings where the
end-user machines are locked down.
However, it fails in settings where the end user machines are not under control
of the network administrators, such as university residential student
communities (it is our understanding that CCA is quite popular with network
administrators in these settings.)
Any end user with administrative rights could simply uninstall the CCA Agent
software.

Cheers,
-Joachim Joe Feise



Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ