Reported August 25, 2004, by Cisco Systems

VERSIONS AFFECTED

  • Versions 3.2(3) and earlier are vulnerable to CSCef05950 and
    CSCed81716.
  • Version 3.2(2) build 15 is vulnerable to CSCeb60017.
  • Version 3.2 is vulnerable to CSCec90317 and CSCec66913.
  • CSCed81716 applies only to the ACS Solution Engine.

DESCRIPTION
Multiple vulnerabilities exist in Cisco Systems' Secure Access Control Server (ACS), the most severe of which could let an unauthorized user authenticate to a server. The vulnerabilities include the following:

  • CSCeb60017 and CSCec66913—Cisco Secure ACS provides a Web-based management interface, termed CSAdmin, which listens on TCP port 2002. When flooded with TCP connections, the ACS Windows and ACS Solution Engine stop responding to new TCP connections destined for port 2002. Additionally, services on ACS that process authentication-related requests might become unstable and stop responding, thereby hampering ACS's ability to process authentication-related requests. You must reboot the device to restore these services.
  • CSCec90317—Cisco Secure ACS, when configured for Light Extensible Authentication Protocol (LEAP) Remote Authentication Dial-In User Service (RADIUS) proxy, forwards LEAP authentication requests to a secondary RADIUS server. The ACS device with LEAP RADIUS proxy configured might crash when LEAP authentication requests are being processed. You must reboot the device to restore it to an operational state.
  • CSCed81716—Cisco Secure ACS can communicate with external databases and authenticate users against those databases. Novell Directory Services (NDS) is one of the external databases that ACS supports. If an anonymous bind in NDS is allowed, and if the ACS Solution Engine is authenticating NDS users with NDS and not generic Lightweight Directory Access Protocol (LDAP) as the external database, users can authenticate with blank passwords against that NDS database. However, wrong passwords and incorrect usernames are properly rejected.
  • CSCef05950—After a user successfully authenticates to the ACS GUI on TCP port 2002, a separate TCP connection is created between the browser and ACS administration Web service, with a random destination port. If an attacker spoofs the IP address of the user computer and accesses the ACS GUI on this random port, the attacker could connect to the ACS GUI, thereby bypassing authentication. An attacker could also bypass authentication to the ACS server if the attacker is behind the same port address translation (PAT) device as the ACS user and accesses the ACS GUI on this random port.

VENDOR RESPONSE
Cisco Systems has released Security Advisory 61603, "Multiple Vulnerabilities in Cisco Secure Access Control Server," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Cisco Systems.