Reported April 23, 2003, by Cisco Systems



VERSIONS AFFECTED


Cisco Secure ACS 3.1.1, 3.0.3, 2.6.4, and earlier


DESCRIPTION


Cisco Secure ACS for Windows contains a buffer overflow condition that can permit a Denial of Service (DoS) attack and a root compromise. The problem appears to occur during the software's handling of logon sequences.


Cisco recommends that customers upgrade to repaired versions of Cisco Secure ACS or install Cisco Secure ACS so that either no external access to management interfaces is permitted or access to the interfaces is restricted. Users who want to restrict access to management interfaces need to block access to ACS on port 2002.


VENDOR RESPONSE


Cisco has released a bulletin and free upgrades, which you can download from the company's Web site.


CREDIT

Discovered by NSFocus.