ID

VAR-200512-0744

CVE

CVE-2005-4499

TITLE

Cisco Product IP ACL Vulnerabilities that bypass authentication in functions

DESCRIPTION

The Downloadable RADIUS ACLs feature in Cisco PIX and VPN 3000 concentrators, when creating an ACL on the Cisco Secure Access Control Server (CS ACS), generates a random internal name for an ACL that is also used as a hidden user name and password, which allows remote attackers to gain privileges by sniffing the username from the cleartext portion of a RADIUS session, then using the password to log in to another device that uses CS ACS. plural Cisco Product implements IP ACL In function, the device ACL When downloading ACL Name RAS/NAS Username and password for authentication by ( Same as user name ) As we use as ACL If the name is known, ACL There is a vulnerability that makes it possible to pass authentication illegally using a name.There is a possibility of unauthorized access to the network. Cisco PIX and VPN 3000 concentrators, when managed by Cisco Secure Access Control Servers are vulnerable to an information disclosure vulnerability. This issue is due to a design flaw that communicates sensitive information over an unencrypted communications channel. This issue allows remote attackers with the ability to gain access to sensitive information if they can sniff network packets traveling between affected devices and the RADIUS server. This information potentially aids them in further attacks. Specific Cisco versions and products affected by this issue are not currently known. The list of affected packages will be updated as further information is disclosed. Cisco PIX is a very popular network firewall, while CS ACS is a network device that provides authentication, authorization, and account services. Cisco PIX has a loophole in network management communication, and attackers may use this loophole to gain unauthorized access to the device. At the same time, CS ACS will also create an internal hidden user named #ACSACL#-IP-uacl-43a97a9d with the password #ACSACL#-IP-uacl-43a97a9d (!). The CS ACS GUI cannot see the user. The protocol used by the PIX downloads the ACL steps as follows: 0) The user accesses the Internet through the PIX with HTTP(s); the PIX requests the user name and password, and then the user enters the user name and password in the dialog box. 1) PIX sends a Radius access request to CS ACS to authenticate the user (user password is encrypted by Radius). 2) The Radius server authenticates the user and sends back the cisco-av-pair vendor-specific attribute (VSA) with the ACS: CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d value. 3) PIX sends Radius access request again to authenticate user#ACSACL#-IP-uacl-43a97a9d 4) Radius server authenticates user, sends back ACL body with another cisco-av-pair VSA attribute (ip:inacl#1=... ). This means that anyone can see the plaintext #ACSACL#-IP-uacl-43a97a9d user name sent from the CS ACS server to the PIX by the Radius protocol through the network, and the user's password is the same as the user name. If the network device is configured to use the same CS ACS server for login authentication, you can use the sniffed user name to log in to the network device. The vulnerability is caused due to a design error in the Downloadable IP ACL (Access Control List) feature. This can be exploited by malicious people who knows the name of a Downloadable IP ACL configured on the ACS server to authenticate to the RAS/NAS (Remote Access Server/Network Access Server) by using the name of that ACL as their user name. Successful exploitation requires that the attacker knows the name of the Downloadable IP ACL e.g. by sniffing network traffic between the RAS/NAS and the ACS server. SOLUTION: The vulnerability has been fixed in the following versions. * Cisco Secure ACS Version 4.0.1 * PIX version 6.3(5) * PIX/ASA 7.0(2) * Cisco IOS Software Version 12.3(8)T4 * VPN 3000 versions 4.0.5.B and 4.1.5.B Cisco FWSM: Refer to vendor's original advisory for workaround instructions. PROVIDED AND/OR DISCOVERED BY: ovt ORIGINAL ADVISORY: Cisco: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Design Error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Oleg Tipisov

SOURCES

LAST UPDATE DATE

2024-08-14T15:09:45.658000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE