[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45A2B922.3080003@securenetwork.it>
Date: Mon, 08 Jan 2007 22:35:30 +0100
From: Stefano Zanero <s.zanero@...urenetwork.it>
To: thorben <thorbenatgawabcom@...urityfocus.com>,
bugtraq@...urityfocus.com
Subject: Re: cisco nac bypass vulnerability - cisco trust agent
thorben schroeder wrote:
> the cisco network admission control system gives an adminitrator the
> chance to check the clients, whether they have installed certain
> patches / hotfixes. this check is not reliable.
This is a known vulnerability of any system of NAC which trusts a client
based agent. Since you cannot determine what program is running on the
remote system, you cannot really trust what it is declaring.
So, nothing really new in what you reported (you could also reverse
engineer and write a client which answers the server exactly what it
wants to hear).
The point is knowing and accepting the unavoidable limits of such
technologies.
Stefano
Powered by blists - more mailing lists