Reported September 21, 2000 by Cisco

VERSIONS AFFECTED
  • CiscoSecure ACS all versions up to and including 2.4 (2)

DESCRIPTION

Three vulnerabilities have been found in CiscoSecure ACS running on Windows NT Server.  Two of the exploits are denial of service attacks while the other is a privilege escalation attack.

DEMONSTRATION

Vulnerability #1:  A buffer overflow has been found in the CSAdmin module.  This overflow can be performed by sending an oversized packet to TCP port 2002.  According to Cisco, depending on the exact version of Windows NT Server running, it is also possible to use this buffer overflow to execute arbitrary code.  Additional information is available by Cisco in Cisco Bug ID# cscdr68286.

Vulnerability #2:  This vulnerability is a simple denial of service attack.  By sending an oversized TACACS+ packet it is possible to cause the system to become unstable.  In order for this attack to be effective an attacker must be able to sniff or inject traffic into the path between the TACACS+ client and the CiscoSecure ACS Server.  Additional information is available by Cisco in Cisco Bug ID# cscdr51286.

Vulnerability #3:  The last vulnerability discovered required an LDAP server to be in place and that server must allow null (blank) passwords.  If such an LDAP server is used in conjunction with CiscoSecure ACS an attacker can bypass the password protection on a router or switch.  Additional information is available by Cisco in Cisco Bug ID# cscdr26113

VENDOR RESPONSE

Cisco Systems recommends that clients running versions of this software prior to 2.4.(3) should upgrade as soon as possible.  Fix and upgrade information is available from the Cisco web site.

CREDIT
Discovered by
Cisco