lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060623234540.GH9774@cisco.com>
Date: Sat Jun 24 00:45:54 2006
From: ckossmey at cisco.com (Clayton Kossmeyer)
Subject: Re: Cisco Secure ACS Weak Session Management
	Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello -

The Cisco PSIRT has posted a public response to a vulnerability made
public by a researcher on multiple public mailing lists.

This is the Cisco PSIRT response to the statements made by Darren
Bounds in his advisory: Cisco Secure ACS Weak Session Management
Vulnerability. The original email/advisory is available at
http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0618.html
and
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html

This issue is being tracked by Cisco Bug IDs CSCse26754 and
CSCse26719.

The attacks described in the report take advantage of a weakness in
the default configuration of the Cisco ACS.  Cisco is investigating
this issue and further detail will be added to the Cisco Security
Response as it becomes available.

Cisco's statement and further information are available on the Cisco
public website at

http://www.cisco.com/warp/public/707/cisco-sr-20060623-acs.shtml

Contact psirt@...co.com with any questions regarding this issue.

Regards,

Clay


On Fri, Jun 23, 2006 at 09:18:51AM -0400, Darren Bounds wrote:
> Cisco Secure ACS Weak Session Management Vulnerability
> June 23, 2006
> 
> Product Overview:
> Cisco Secure Access Control Server (ACS) provides a centralized
> identity networking solution and simplified user management experience
> across all Cisco devices and security management applications.
> 
> Cisco Secure ACS is a major component of Cisco trust and identity
> networking security solutions. It extends access security by combining
> authentication, user and administrator access, and policy control from
> a centralized identity networking framework, thereby allowing greater
> flexibility and mobility, increased security, and user productivity
> gains.
> 
> Vulnerability Details:
> A vulnerability has been identified in the Cisco Secure ACS session
> management architecture which could be exploited by an attacker to
> obtain full administrative access to the web interface and thus all
> managed assets (routers, switches, 802.1x authenticated networks,
> etc).
> 
> By default, the Cisco Secure ACS web administration login page runs on
> TCP port 2002. Upon successful authentication, the client is then
> redirected to a dynamicand unique HTTP server port between 1024 and
> 65535. Once authenticated, ACS relies solely upon the port and the
> client IP address to validate the session.
> 
> Clearly one can think of many somewhat trivial techniques for
> acquiring the necessary IP address or senarios where the attacker may
> already share the same source IP as the administrator (proxies, NATing
> devices). Now it's merely a matter of identifying the port allocated
> for the administrative interface. This is easily accomplished as ACS
> follows a simple incrementation process for port allocation.
> 
> Affected Versions:
> Cisco Secure ACS 4.x for Windows
> Legacy versions may also be affected.
> 
> Workarounds:
> Configure ACLs within Cisco Secure ACS to restrict access to the web
> interface from only 'secure' network address space.
> 
> Cisco has confirmed this vulnerability and is working on a patch.
> 
> References:
> http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
> 
> 
> -- 
> 
> Thank you,
> Darren Bounds
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SunOS)

iD8DBQFEnH0XEHa/Ybuq8nARAmrJAJ9RVE0zwyiEGuhU4a8wVTiyEAt0pwCeK2QW
psiCcxc105IojaZsm+i+yjY=
=thsN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ