ID

VAR-200602-0183

CVE

CVE-2006-0764

TITLE

Cisco Multiple products TACACS+ Access authentication bypass vulnerability

DESCRIPTION

The Authentication, Authorization, and Accounting (AAA) capability in versions 5.0(1) and 5.0(3) of the software used by multiple Cisco Anomaly Detection and Mitigation products, when running with an incomplete TACACS+ configuration without a "tacacs-server host" command, allows remote attackers to bypass authentication and gain privileges, aka Bug ID CSCsd21455. Cisco Anomaly Detection and Mitigation appliances and service modules are prone to an authentication-bypass vulnerability. This issue can allow attackers to gain unauthorized access to devices or gain elevated privileges. This vulnerability presents itself when the devices have been configured to authenticate users against an external TACACS+ server, but an external TACACS+ server isn't specified in the configuration using the 'tacacs-server host' command. Note that a device is vulnerable only if the 'tacacs-server host' command isn't present in the configuration. Depending on the privileges gained, the attacker may obtain sensitive information about a network by sniffing traffic and inspecting configuration policies. Denial-of-service attacks are also possible. Both Cisco Guard and Cisco Traffic Anomaly Detector appliances are Distributed Denial of Service (DDoS) attack mitigation appliances that detect potential DDoS attacks and divert attack traffic to the monitored network without affecting legitimate traffic. The permissions available to bypass authentication users depend on the type of account used to log in and whether there is an account on the device. The situation is as follows: * Using a non-existing account: the user can only execute the show command Obtain the same permissions normally given to this account* Using an existing Linux account: the user can access the base Linux shell Additionally, if the enable authentication is performed on the TACACS+ server via the aaa authentication enable tacacs+ command and the actual TACACS+ server is not specified via the tacacs-server host command The user can also bypass the authentication of the enable command. TITLE: Cisco Products TACACS+ Authentication Bypass SECUNIA ADVISORY ID: SA18904 VERIFY ADVISORY: http://secunia.com/advisories/18904/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco Guard 5.x http://secunia.com/product/8097/ Cisco Traffic Anomaly Detector 5.x http://secunia.com/product/8095/ SOFTWARE: Cisco Catalyst 6500/Cisco 7600 Router Anomaly Guard Module http://secunia.com/product/8098/ Cisco Catalyst 6500/Cisco 7600 Router Traffic Anomaly Detector Module http://secunia.com/product/8099/ DESCRIPTION: A security issue has been reported in various Cisco products, which can be exploited by malicious people to bypass certain security restrictions. Successful exploitation requires that TACACS+ authentication is incompletely configured (i.e. The security issue affects the following products: * Cisco Guard versions 5.0(1) and 5.0(3) * Cisco Traffic Anomaly Detector versions 5.0(1) and 5.0(3) * Anomaly Guard Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers * Traffic Anomaly Detector Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers NOTE: Versions prior to 5.0 and versions later than 5.0(3) are unaffected. SOLUTION: Update to version 5.1(4) or later. Software for the Cisco Guard appliance: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ga-crypto. Software for the Cisco Traffic Anomaly Detector appliance: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ad-crypto. Software for the Cisco Anomaly Guard Module: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-agm-crypto. Software for the Cisco Anomaly Traffic Detector Module: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-adm-crypto Configure TACACS+ authentication properly. PROVIDED AND/OR DISCOVERED BY: The vendor credits Gerrit Wenig. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060215-guard.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Design Error

EXTERNAL IDS

REFERENCES

CREDITS

Gerrit Wenig

SOURCES

LAST UPDATE DATE

2024-08-14T14:48:00.683000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE