ID

VAR-200602-0183


CVE

CVE-2006-0764


TITLE

Cisco Multiple products TACACS+ Access authentication bypass vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200602-261

DESCRIPTION

The Authentication, Authorization, and Accounting (AAA) capability in versions 5.0(1) and 5.0(3) of the software used by multiple Cisco Anomaly Detection and Mitigation products, when running with an incomplete TACACS+ configuration without a "tacacs-server host" command, allows remote attackers to bypass authentication and gain privileges, aka Bug ID CSCsd21455. Cisco Anomaly Detection and Mitigation appliances and service modules are prone to an authentication-bypass vulnerability. This issue can allow attackers to gain unauthorized access to devices or gain elevated privileges. This vulnerability presents itself when the devices have been configured to authenticate users against an external TACACS+ server, but an external TACACS+ server isn't specified in the configuration using the 'tacacs-server host' command. Note that a device is vulnerable only if the 'tacacs-server host' command isn't present in the configuration. Depending on the privileges gained, the attacker may obtain sensitive information about a network by sniffing traffic and inspecting configuration policies. Denial-of-service attacks are also possible. Both Cisco Guard and Cisco Traffic Anomaly Detector appliances are Distributed Denial of Service (DDoS) attack mitigation appliances that detect potential DDoS attacks and divert attack traffic to the monitored network without affecting legitimate traffic. The permissions available to bypass authentication users depend on the type of account used to log in and whether there is an account on the device. The situation is as follows: * Using a non-existing account: the user can only execute the show command Obtain the same permissions normally given to this account* Using an existing Linux account: the user can access the base Linux shell Additionally, if the enable authentication is performed on the TACACS+ server via the aaa authentication enable tacacs+ command and the actual TACACS+ server is not specified via the tacacs-server host command The user can also bypass the authentication of the enable command. TITLE: Cisco Products TACACS+ Authentication Bypass SECUNIA ADVISORY ID: SA18904 VERIFY ADVISORY: http://secunia.com/advisories/18904/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco Guard 5.x http://secunia.com/product/8097/ Cisco Traffic Anomaly Detector 5.x http://secunia.com/product/8095/ SOFTWARE: Cisco Catalyst 6500/Cisco 7600 Router Anomaly Guard Module http://secunia.com/product/8098/ Cisco Catalyst 6500/Cisco 7600 Router Traffic Anomaly Detector Module http://secunia.com/product/8099/ DESCRIPTION: A security issue has been reported in various Cisco products, which can be exploited by malicious people to bypass certain security restrictions. Successful exploitation requires that TACACS+ authentication is incompletely configured (i.e. The security issue affects the following products: * Cisco Guard versions 5.0(1) and 5.0(3) * Cisco Traffic Anomaly Detector versions 5.0(1) and 5.0(3) * Anomaly Guard Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers * Traffic Anomaly Detector Module for the Cisco Catalyst 6500 switches/Cisco 7600 routers NOTE: Versions prior to 5.0 and versions later than 5.0(3) are unaffected. SOLUTION: Update to version 5.1(4) or later. Software for the Cisco Guard appliance: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ga-crypto. Software for the Cisco Traffic Anomaly Detector appliance: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ad-crypto. Software for the Cisco Anomaly Guard Module: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-agm-crypto. Software for the Cisco Anomaly Traffic Detector Module: http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-adm-crypto Configure TACACS+ authentication properly. PROVIDED AND/OR DISCOVERED BY: The vendor credits Gerrit Wenig. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060215-guard.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.35

sources: NVD: CVE-2006-0764 // BID: 16661 // VULHUB: VHN-16872 // PACKETSTORM: 43910

AFFECTED PRODUCTS

vendor:ciscomodel:guardscope:eqversion:5.0\(3\)

Trust: 1.6

vendor:ciscomodel:anomaly guard modulescope:eqversion:5.0\(3\)

Trust: 1.6

vendor:ciscomodel:guardscope:eqversion:5.0\(1\)

Trust: 1.6

vendor:ciscomodel:traffic anomaly detector modulescope:eqversion:5.0\(3\)

Trust: 1.6

vendor:ciscomodel:traffic anomaly detector modulescope:eqversion:5.0\(1\)

Trust: 1.6

vendor:ciscomodel:anomaly guard modulescope:eqversion:5.0\(1\)

Trust: 1.6

vendor:ciscomodel:traffic anomaly detector modulescope:eqversion:5.0(3)

Trust: 0.3

vendor:ciscomodel:traffic anomaly detector modulescope:eqversion:5.0(1)

Trust: 0.3

vendor:ciscomodel:traffic anomaly detectorscope:eqversion:5.0(3)

Trust: 0.3

vendor:ciscomodel:traffic anomaly detectorscope:eqversion:5.0(1)

Trust: 0.3

vendor:ciscomodel:guardscope:eqversion:5.0(3)

Trust: 0.3

vendor:ciscomodel:guardscope:eqversion:5.0(1)

Trust: 0.3

vendor:ciscomodel:anomaly guard modulescope:eqversion:5.0(3)

Trust: 0.3

vendor:ciscomodel:anomaly guard modulescope:eqversion:5.0(1)

Trust: 0.3

sources: BID: 16661 // CNNVD: CNNVD-200602-261 // NVD: CVE-2006-0764

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-0764
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-200602-261
value: MEDIUM

Trust: 0.6

VULHUB: VHN-16872
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2006-0764
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-16872
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-16872 // CNNVD: CNNVD-200602-261 // NVD: CVE-2006-0764

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-0764

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200602-261

TYPE

Design Error

Trust: 0.9

sources: BID: 16661 // CNNVD: CNNVD-200602-261

EXTERNAL IDS

db:BIDid:16661

Trust: 2.0

db:SECUNIAid:18904

Trust: 1.8

db:VUPENid:ADV-2006-0612

Trust: 1.7

db:OSVDBid:23237

Trust: 1.7

db:SECTRACKid:1015637

Trust: 1.7

db:SECTRACKid:1015638

Trust: 1.7

db:NVDid:CVE-2006-0764

Trust: 1.7

db:SREASONid:435

Trust: 1.7

db:CNNVDid:CNNVD-200602-261

Trust: 0.7

db:XFid:24689

Trust: 0.6

db:CISCOid:20060215 TACACS+ AUTHENTICATION BYPASS IN CISCO ANOMALY DETECTION AND MITIGATION PRODUCTS

Trust: 0.6

db:VULHUBid:VHN-16872

Trust: 0.1

db:PACKETSTORMid:43910

Trust: 0.1

sources: VULHUB: VHN-16872 // BID: 16661 // PACKETSTORM: 43910 // CNNVD: CNNVD-200602-261 // NVD: CVE-2006-0764

REFERENCES

url:http://www.securityfocus.com/bid/16661

Trust: 1.7

url:http://www.cisco.com/en/us/products/products_security_advisory09186a008060519a.shtml

Trust: 1.7

url:http://www.osvdb.org/23237

Trust: 1.7

url:http://securitytracker.com/id?1015637

Trust: 1.7

url:http://securitytracker.com/id?1015638

Trust: 1.7

url:http://secunia.com/advisories/18904

Trust: 1.7

url:http://securityreason.com/securityalert/435

Trust: 1.7

url:http://www.vupen.com/english/advisories/2006/0612

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/24689

Trust: 1.1

url:http://www.frsirt.com/english/advisories/2006/0612

Trust: 0.6

url:http://xforce.iss.net/xforce/xfdb/24689

Trust: 0.6

url:http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ad-crypto.

Trust: 0.1

url:http://secunia.com/product/8097/

Trust: 0.1

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-agm-crypto.

Trust: 0.1

url:http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-ga-crypto.

Trust: 0.1

url:http://secunia.com/advisories/18904/

Trust: 0.1

url:http://secunia.com/product/8098/

Trust: 0.1

url:http://www.cisco.com/warp/public/707/cisco-sa-20060215-guard.shtml

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://www.cisco.com/pcgi-bin/tablebuild.pl/cisco-adm-crypto

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/product/8095/

Trust: 0.1

url:http://secunia.com/product/8099/

Trust: 0.1

sources: VULHUB: VHN-16872 // PACKETSTORM: 43910 // CNNVD: CNNVD-200602-261 // NVD: CVE-2006-0764

CREDITS

Gerrit Wenig

Trust: 0.6

sources: CNNVD: CNNVD-200602-261

SOURCES

db:VULHUBid:VHN-16872
db:BIDid:16661
db:PACKETSTORMid:43910
db:CNNVDid:CNNVD-200602-261
db:NVDid:CVE-2006-0764

LAST UPDATE DATE

2024-11-23T23:03:33.772000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-16872date:2017-07-20T00:00:00
db:BIDid:16661date:2006-02-15T21:07:00
db:CNNVDid:CNNVD-200602-261date:2006-02-28T00:00:00
db:NVDid:CVE-2006-0764date:2024-11-21T00:07:17.180

SOURCES RELEASE DATE

db:VULHUBid:VHN-16872date:2006-02-18T00:00:00
db:BIDid:16661date:2006-02-15T00:00:00
db:PACKETSTORMid:43910date:2006-02-16T21:45:30
db:CNNVDid:CNNVD-200602-261date:2006-02-17T00:00:00
db:NVDid:CVE-2006-0764date:2006-02-18T02:02:00