lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <70f230c70701041059v19fe4acduc8260b6fafe3bb35@mail.gmail.com>
Date: Thu, 4 Jan 2007 11:59:34 -0700
From: "Mark Senior" <senatorfrog@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: psirt@...co.com
Subject: Re: Cisco Security Advisory: Multiple
	Vulnerabilities in Cisco Clean Access

Well, that sure was informative.

My questions to what the advisory means are below.  Can anyone answer or
correct this at all?

On 1/3/07, Cisco Systems Product Security Incident Response Team <> wrote:
>
> Details
> =======
>
> Unchangeable Shared Secret
> +-------------------------
>
> In order for Cisco Clean Access Manager (CAM) to authenticate to a
> Cisco Clean Access Server (CAS), both CAM and CAS must have the same
> shared secret. The shared secret is configured during the initial CAM
> and CAS setup. Due to this vulnerability the shared secret can not be
> properly set nor be changed, and it will be the same across all
> affected devices. In order to exploit this vulnerability the
> adversary must be able to establish a TCP connection to CAS.


So, other than making a TCP connection to the box, what does the attacker
need?  Do they need to get the shared secret off some other box in the same
administrative domain?  How is that shared secret protected, is it stored
anywhere else an attacker might have easier access to (e.g. on Clean
Access-managed clients, on the 'readable snapshots' below)?

Unchangeable Shared Secret
> +-------------------------
>
> Successful exploitation of the vulnerability may enable a malicious
> user to effectively take administrative control of a CAS. After that,
> every aspect of CAS can be changed including its configuration and
> setup.


For "may", presumably we should read "would, unless the he suddenly fell
asleep at the last minute"?  Or are there some additional barriers to taking
advantage of a successful  exploit?



> Readable Snapshots
> +-----------------
>
> Manual backups of the database ('snapshots') taken on CAM are
> susceptible to brute force download attacks. A malicious user can
> guess the file name and download it without authentication. The file
> itself is not encrypted or otherwise protected.


>
> Readable Snapshots
> +-----------------
>
> The snapshot contains sensitive information that can aide in the
> attempts, or be used to compromise the CAM. Among other things, the
> snapshot can contain passwords in cleartext. Starting with the
> release 3.6.0, passwords are no longer stored in cleartext in the
> snapshot files.


So, I read this to mean, the snapshot files are still downloadable without
authentication, still have easily guessable names, and still contain
sensitive information that can aid in an attack (what sensitive
information?), but now the attacker has password hashes against which he has
to do a three hour offline brute force, or perhaps a twenty second rainbow
table lookup, rather than getting the plaintext straight off.

Regards
Mark

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ