[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.62.0608251726360.9882@sam.ics.uci.edu>
Date: Fri, 25 Aug 2006 17:29:36 -0700 (PDT)
From: Andreas Gal <gal@....edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Cisco NAC Appliance Agent Installation Bypass
Vulnerability
Description:
Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network
Admission Control (NAC) product that uses the network infrastructure to enforce
security policy compliance on all devices seeking to access network computing
resources. With NAC Appliance, network administrators can authenticate,
authorize, evaluate, and remediate wired, wireless, and remote users and their
machines prior to network access. It identifies whether networked devices such
as laptops, IP phones, or game consoles are compliant with your network's
security policies and repairs any vulnerabilities before permitting access to
the network.
Vendor site:
http://www.cisco.com/en/US/products/ps6128/
Affected versions:
All current (<= 3.6.4.1 at the time of the release)
Discovery Date:
2006-08-15
Report Date:
2006-08-20 (vendor), 2006-08-25 (public)
Severity:
Medium
Remote:
Yes
Related previous reports:
http://www.securityfocus.com/archive/1/408603/30/0/threaded
Discovered by:
Andreas Gal (http://www.andreasgal.com/)
Joachim Feise (http://www.feise.com/)
Vulnerability:
Previous versions of the software allowed users to bypass the "mandatory"
installation of the Clean Access Agent by changing the browser user-agent
string. With version 3.6.0, Cisco added additional detection mechanisms such as
TCP fingerprinting and JavaScript OS detection. By changing the default
parameters of the Windows TCP/IP stack and using a custom HTTPS client (instead
of a browser) the user can still connect to the network without running any
host-based checks. Authentication and remote checks are not affected.
Proof-of-concept implementation:
http://kevin.sf.net/howto.html
http://kevin.sf.net/download/kevin.exe
http://kevin.sf.net/download/kevin.conf
http://kevin.cvs.sourceforge.net/kevin/
Acknowledgements:
The registry settings to masquerade the Windows TCP/IP stack were derived from
sec_cloak written by Craig Heffner.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists