ID

VAR-200605-0001

CVE

CVE-2006-0561

TITLE

Windows for Cisco Secure Access Control Server Password cracking vulnerability

DESCRIPTION

Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS administrator passwords and the master key in the registry with insecure permissions, which allows local users and remote administrators to decrypt the passwords by using Microsoft's cryptographic API functions to obtain the plaintext version of the master key. Cisco Secure ACS is susceptible to an insecure password-storage vulnerability. This issue is due to a failure of the application to properly secure sensitive password information. This issue allows attackers to gain access to encrypted passwords and to the key used to encrypt them. This allows them to obtain the plaintext passwords, aiding them in attacking other services that depend on the ACS server for authentication. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Vulnerability Research https://www.symantec.com/research Security Advisory Advisory ID : SYMSA-2006-003 Advisory Title: Cisco Secure ACS for Windows - Administrator Password Disclosure Author : Andreas Junestam Release Date : 05-08-2006 Application : Cisco Secure ACS 3.x for Windows Platform : Microsoft Windows Severity : System access / exploit available Vendor status : Vendor verified, workaround available CVE Number : CVE-2006-0561 Reference : http://www.securityfocus.com/bid/16743 Overview: Cisco Secure ACS is a central administration platform for Cisco network devices. It controls authentication and authorization for enrolled devices. Administrative passwords for locally-defined users are stored in such a way they can be obtained from the Windows registry. If remote registry access is enabled, this can be done over the network. The passwords are encrypted using the Crypto API Microsoft Base Cryptographic Provider v1.0. This information can easily be obtained locally by a Windows administrator, and if remote registry access is enabled, it can be obtained over the network. With this, the clear-text passwords can be recovered by decrypting the information in the registry with the supplied key. A locally generated master key is used to encrypt/decrypt the ACS administrator passwords. The master key is also stored in the Windows registry in an encrypted format. One feature of Windows operating systems is the ability to modify the permissions of a registry key to remove access even for local or domain administrators. The following registry key and all of its sub-keys need to be protected. HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators Note: The "CiscoAAAv3.3" portion of the registry key path may differ slightly depending on the version of Cisco Secure ACS for Windows that is installed. The Windows users that need permissions to the registry key will depend on the deployment type. For information about editing the Windows registry, please consult the following Microsoft documentation. For information on restricting remote registry access, please consult the following Microsoft documentation. "How to restrict access to the registry from a remote computer" http://support.microsoft.com/kb/q153183 "How to Manage Remote Access to the Registry" http://support.microsoft.com/kb/q314837 Recommendation: Follow your organization's testing procedures before applying patches or workarounds. See Cisco's instructions on how to place an ACL on the Registry Key, and also how to restrict remote access to the Windows registry. These recommendations do not eliminate the vulnerability, but provide some mitigation. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0561 - -------Symantec Vulnerability Research Advisory Information------- For questions about this advisory, or to report an error: research@symantec.com For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/research/ Symantec Vulnerability Research PGP Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc - -------------Symantec Product Advisory Information------------- To Report a Security Vulnerability in a Symantec Product: secure@symantec.com For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - --------------------------------------------------------------- Copyright (c) 2006 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from cs_advisories@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe vKVo3Si7ycswRs/2kiA997I= =dkX3 -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

Design Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Andreas Junestam andreas@atstake.com

SOURCES

LAST UPDATE DATE

2024-08-14T14:00:21.344000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE