Sign-up

ID

VAR-200606-0321


CVE

CVE-2006-3226


TITLE

Windows for Cisco Secure Access Control Server Vulnerabilities that bypass authentication

Trust: 0.8

sources: JVNDB: JVNDB-2006-004041

DESCRIPTION

Cisco Secure Access Control Server (ACS) 4.x for Windows uses the client's IP address and the server's port number to grant access to an HTTP server port for an administration session, which allows remote attackers to bypass authentication via various methods, aka "ACS Weak Session Management Vulnerability.". This issue is due to the application's failure to properly ensure that remote web-based users are properly authenticated. This issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application. Cisco Secure ACS for Windows versions in the 4.x series were identified as vulnerable to this issue; other versions and platforms may also be affected. This issue is being tracked by Cisco Bug IDs CSCse26754 and CSCse26719. This helps attackers to hijack management sessions because port numbers are assigned in a sequential fashion without using strong authentication. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Secure ACS Session Management Security Issue SECUNIA ADVISORY ID: SA20816 VERIFY ADVISORY: http://secunia.com/advisories/20816/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network SOFTWARE: Cisco Secure ACS 4.x http://secunia.com/product/10635/ DESCRIPTION: Darren Bounds has reported a security issue in Cisco Secure ACS, which can be exploited by malicious people to bypass certain security restrictions. The problem is caused due to the web-based management interface handling session management in an insecure way based on the assigned service port and the client's IP address. Successful exploitation requires that the attacker uses the same IP address as the logged in administrative user. The security issue has been reported in version 4.0 for Windows. Other versions may also be affected. SOLUTION: Only connect to the web-based management interface from dedicated management systems. PROVIDED AND/OR DISCOVERED BY: Darren Bounds ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060623-acs.shtml Darren Bounds: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2006-3226 // JVNDB: JVNDB-2006-004041 // BID: 18621 // VULHUB: VHN-19334 // PACKETSTORM: 47709

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control serverscope:eqversion:4.0.1

Trust: 1.9

vendor:ciscomodel:secure access control serverscope:eqversion:4.0

Trust: 1.9

vendor:ciscomodel:secure access control serverscope:eqversion:4.x

Trust: 0.8

sources: BID: 18621 // JVNDB: JVNDB-2006-004041 // CNNVD: CNNVD-200606-497 // NVD: CVE-2006-3226

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-3226
value: HIGH

Trust: 1.0

NVD: CVE-2006-3226
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200606-497
value: HIGH

Trust: 0.6

VULHUB: VHN-19334
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2006-3226
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-19334
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-19334 // JVNDB: JVNDB-2006-004041 // CNNVD: CNNVD-200606-497 // NVD: CVE-2006-3226

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-3226

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200606-497

TYPE

access verification error

Trust: 0.6

sources: CNNVD: CNNVD-200606-497

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2006-004041

PATCH
title:cisco-acs-session-spoofing(27328)url:http://xforce.iss.net/xforce/xfdb/27328
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2006-004041

EXTERNAL IDS
db:NVDid:CVE-2006-3226
Trust: 2.5
db:BIDid:18621
Trust: 2.0
db:SECUNIAid:20816
Trust: 1.8
db:SREASONid:1157
Trust: 1.7
db:VUPENid:ADV-2006-2524
Trust: 1.7
db:OSVDBid:26825
Trust: 1.7
db:SECTRACKid:1016369
Trust: 1.7
db:JVNDBid:JVNDB-2006-004041
Trust: 0.8
db:CNNVDid:CNNVD-200606-497
Trust: 0.7
db:BUGTRAQid:20060623 RE: CISCO SECURE ACS WEAK SESSION MANAGEMENT VULNERABILITY
Trust: 0.6
db:BUGTRAQid:20060623 CISCO SECURE ACS WEAK SESSION MANAGEMENT VULNERABILITY
Trust: 0.6
db:CISCOid:20060623 CISCO SECURE ACS WEAK SESSION MANAGEMENT VULNERABILITY
Trust: 0.6
db:XFid:27328
Trust: 0.6
db:VULHUBid:VHN-19334
Trust: 0.1
db:PACKETSTORMid:47709
Trust: 0.1
sources:
            
            
            VULHUB: VHN-19334 // 
            
            
            
            BID: 18621 // 
            
            
            
            JVNDB: JVNDB-2006-004041 // 
            
            
            
            PACKETSTORM: 47709 // 
            
            
            
            CNNVD: CNNVD-200606-497 // 
            
            
            
            NVD: CVE-2006-3226

REFERENCES
url:http://www.securityfocus.com/bid/18621
Trust: 1.7
url:http://www.cisco.com/en/us/products/sw/secursw/ps2086/tsd_products_security_response09186a00806c68f9.html
Trust: 1.7
url:http://www.osvdb.org/26825
Trust: 1.7
url:http://securitytracker.com/id?1016369
Trust: 1.7
url:http://secunia.com/advisories/20816
Trust: 1.7
url:http://securityreason.com/securityalert/1157
Trust: 1.7
url:http://www.securityfocus.com/archive/1/438161/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/438258/100/0/threaded
Trust: 1.1
url:http://www.vupen.com/english/advisories/2006/2524
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/27328
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-3226
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-3226
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/27328
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/438258/100/0/threaded
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/438161/100/0/threaded
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2006/2524
Trust: 0.6
url:http://www.cisco.com/warp/public/707/cisco-sr-20060623-acs.shtml
Trust: 0.4
url:http://www.cisco.com/en/us/products/sw/secursw/ps2086/index.html
Trust: 0.3
url:/archive/1/438161
Trust: 0.3
url:/archive/1/438258
Trust: 0.3
url:http://secunia.com/product/10635/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-june/047301.html
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/secunia_security_specialist/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/advisories/20816/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-19334 // 
            
            
            
            BID: 18621 // 
            
            
            
            JVNDB: JVNDB-2006-004041 // 
            
            
            
            PACKETSTORM: 47709 // 
            
            
            
            CNNVD: CNNVD-200606-497 // 
            
            
            
            NVD: CVE-2006-3226

CREDITS
Darren Bounds dbounds@gmail.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200606-497

SOURCES
db:VULHUBid:VHN-19334
db:BIDid:18621
db:JVNDBid:JVNDB-2006-004041
db:PACKETSTORMid:47709
db:CNNVDid:CNNVD-200606-497
db:NVDid:CVE-2006-3226

LAST UPDATE DATE
2024-08-14T15:40:45.140000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-19334date:2018-10-18T00:00:00
db:BIDid:18621date:2006-06-26T04:50:00
db:JVNDBid:JVNDB-2006-004041date:2014-03-11T00:00:00
db:CNNVDid:CNNVD-200606-497date:2006-06-27T00:00:00
db:NVDid:CVE-2006-3226date:2018-10-18T16:46:21.047

SOURCES RELEASE DATE
db:VULHUBid:VHN-19334date:2006-06-26T00:00:00
db:BIDid:18621date:2006-06-23T00:00:00
db:JVNDBid:JVNDB-2006-004041date:2014-03-11T00:00:00
db:PACKETSTORMid:47709date:2006-06-26T22:21:41
db:CNNVDid:CNNVD-200606-497date:2006-06-26T00:00:00
db:NVDid:CVE-2006-3226date:2006-06-26T16:05:00