|
CiscoSecure ACS flaw allows arbitrary code execution
Risk
High Date Discovered
04-04-2002
Description
CiscoSecure Access Control Server (ACS) contains a flaw that allows malicious
users to execute arbitrary code.
The CiscoSecure ACS provides authentication, authorization, and accounting (AAA)
services to network devices that function as AAA clients, such as network access
servers, PIX Firewalls, or routers. CiscoSecure ACS assists also in centralizing
access control and accounting, as well as router and switch access management.
The CiscoSecure Access Control Server (ACS) incorrectly processes formatting
symbols. A malicious user can exploit the flaw by sending a specially crafted
URL that contains formatting symbols to port 2002, which is used by the CSADMIN
module for remote execution. This results in user-supplied code being executed
with administrator privileges and could lead to a total compromise of the computer.
If the CSADMIN module is terminated by a malicious user, its administration
function is impacted. Authentication, authorization, or accounting, however,
are not affected. Users should still be able to authenticate as usual.
Platforms Affected
Windows Components Affected
Cisco Systems Inc. Secure Access Control Server (ACS) for Windows NT 2.6, 2.6.2, 2.6.4, 3.0, and 3.0.1
Recommendations
Cisco Systems Inc. Secure Access Control Server (ACS) for Windows NT
Policy: Best Practice - Firewall/IDS Correctly Configured
A firewall and an intrusion detection system (IDS) are recommended. Firewalls
connected to the Internet should be configured so that all unused/unnecessary
Internet services (Telnet, FTP, NNTP, SMTP, IRC, etc.) are disabled by default.
Services that must be used should be configured to require extended (and encrypted)
user authentication and/or have an IDS configured to monitor the activity of
that service. The firewall should also be configured to protect against fragmented
IP packets.
Cisco Systems Inc. Secure Access Control Server (ACS) for Windows NT 2.6,
2.6.2, and 2.6.4
The CSAdmin.exe patch provides fixes for the execution of arbitrary code and
for an information disclosure vulnerability as well.
Registered Cisco users should download and install the following patch: Cisco
CSAdmin-patch-2.6-4-4.zip.
To install the patch:
1. Log in as Administrator.
2. Manually stop the CSAdmin service.
3. Rename the \CSAdmin\CSAdmin.exe file.
4. Copy the patched CSAdmin.exe to \CSAdmin.
5. Manually start the CSAdmin service.
Non-registered Cisco users should see the
Cisco Security Advisory for more information.
Cisco Systems Inc. Secure Access Control Server (ACS) for Windows NT 3.0
and 3.0.1
The CSAdmin.exe patch provides fixes for the execution of arbitrary code and
for an information disclosure vulnerability as well.
Registered Cisco users should download and install the following patch: Cisco
CSAdmin-patch-3.0-1-40.zip.
To install the patch:
1. Log in as Administrator.
2. Manually stop the CSAdmin service.
3. Rename the \CSAdmin\CSAdmin.exe file.
4. Copy the patched CSAdmin.exe to \CSAdmin.
5. Manually start the CSAdmin service.
Non-registered Cisco users should see the
Cisco Security Advisory for more information.
References
Source: CIAC M-64
URL: http://ciac.llnl.gov/ciac/bulletins/m-064.shtml
Source: Security Focus.com 4416
URL: http://online.securityfocus.com/bid/4416
Source: Cisco
URL: http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml#summary
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
|
