-----BEGIN PGP SIGNED MESSAGE----- CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability Revision 1.0 For public release Thursday, 1999 August 19, at 08:00AM US/Pacific (UTC-0700) ============================================================================= Summary ======= In CiscoSecure Access Control Server (CiscoSecure ACS) for UNIX, versions 1.0 through 2.3.2, there is a database access protocol that could permit unauthorized remote users to read and write the server database without authentication. Depending on the network environment, this might permit unauthorized users to modify the access policies enforced by the CiscoSecure ACS. A utility that is capable of using this protocol to read or modify a database is shipped with the CiscoSecure ACS product. This vulnerability can be eliminated by either a CiscoSecure configuration change, or network configuration change. Cisco has provided a new release that changed a default setting, in order to ensure higher default security level. This vulnerability has Cisco bug ID CSCdm71489. Who Is Affected =============== If you are running an affected version of CiscoSecure ACS for UNIX, and if you have not modified the configuration to strictly permit connections from trusted hosts, and if untrusted users can make TCP connections to TCP port 9900 on the computer on which you have installed CiscoSecure ACS, then you are vulnerable. Users of CiscoSecure ACS for Windows NT are not vulnerable. Impact ====== The impact may vary, depending whether potential attackers have access to port 9900 on the CiscoSecure ACS computer. This vulnerability could allow an attacker to remove accounts, add accounts and change passwords or privileges in the user database, including implementing an administrative account, that would give them control of the CiscoSecure ACS server. Customers who may have been vulnerable to attack are advised to review privileged accounts, and any suspicious database changes. Details ======= This vulnerability has been assigned Cisco bug ID CSCdm71489. Affected and Repaired Software Versions ======================================= This applies ONLY to CiscoSecure ACS for UNIX, and is present in all versions, up to version 2.3.2. Version 2.3.3 of CiscoSecure ACS for UNIX has been modified to validate administrative clients by default. This vulnerability applies only to the software product CiscoSecure Access Control Server for UNIX, and does not apply to CiscoSecure Access Control Server for NT. Getting Fixed Software ====================== As the software fix consists of changing default behavior, and is equivalent to the recommended workarounds, a software upgrade is not required to address this vulnerability. However, if you are running one of the releases affected by defects CSCdk55423 or CSCdm72555, as listed in the Workarounds section in this notice, and these defects prevent you from working around this vulnerability, a software upgrade is necessary, and will be provided, regardless of contract status. If you have a service contract, please download the new software from Cisco's Worldwide Web site at http://www.cisco.com. If you do not have a service contract, please call the Cisco TAC at one of the telephone numbers listed in the "Cisco Security Procedures" section of this notice. Give the URL of this notice as evidence of your entitlement to an upgrade. Workarounds =========== Two workarounds for this vulnerability exist. One workaround consists of enabling client validation within CiscoSecure ACS for UNIX. A caveat to this workaround is that there are some versions of CiscoSecure ACS for UNIX that are subject to another defect, which prevents access to additional administration utilities (the Advanced Administration GUI) within CiscoSecure ACS for UNIX when the client validation feature is enabled. This problem is identified in CSCdm72555 which affects versions 2.3.1 and 2.3.2, and CSCdk55423, which affects versions 2.2.2, 2.2.3 of CiscoSecure ACS for UNIX. This workaround will not be effective in CiscoSecure ACS for UNIX version 2.2.2, 2.2.3, 2.3.1 and 2.3.2, and customers are encouraged to upgrade to a version that does not include this defect. Version 2.3.3 is currently available and is not susceptible to the above problem. You must edit the CSCconfig.ini file, list the permitted remote access hosts, enable remote client validation. TACACS or RADIUS clients do NOT need to be listed under this setting, only hosts that are permitted to administer the server should be listed. In the following example, 'acs_srv_machine' resolves to localhost, and we are providing remote administration privileges to the hosts 'client_machine' and the ip address 172.16.23.23. Permitted clients may be defined by a hostname, or an ip address. CSCconfig.ini file should be edited with the following information: [ValidClients] ;if ValidateClients=true, than we only allow the clients with ids listed ; to connect to the dbserver 100 = acs_srv_machine 100 = client_machine 100 = 172.16.23.23 ValidateClients = true ... An additional configuration parameter "FastAdminValidClients" was added in CiscoSecure ACS version 2.3.3 allowing the Fast Administrator Web based GUI to permit the same IP addresses specified in the valid clients list, to further restrict client access. A second workaround is to use filtering on other network devices, such as a firewall, to control or block access to TCP port 9900 on the CiscoSecure ACS for UNIX server. Exploitation and Public Announcements ===================================== Cisco does not have any reports of malicious use of this vulnerability. CiscoSecure ACS for UNIX Reference Guide does include a cautionary note regarding this vulnerability. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution ============ This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/csecure-dbaccess.shtml. In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announceat_private * bugtraqat_private * first-teamsat_private (includes CERT/CC) * ciscoat_private * comp.dcom.sys.cisco * first-infoat_private * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History ================ Revision 1.0, 08:00 AM US/Pacific Initial public 19-AUGUST-99 release. Cisco Security Procedures ========================= Cisco's Worldwide Web site contains complete information for reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information directly from Cisco at http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. ------------------------------------------------------------------------ This notice is copyright 1999 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the notice, provided that redistributed copies are complete and unmodified, including all date and version information. ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBN7via3LSeEveylnrAQFVnwgAkij5Ap3JcgBDzK5L01rdYjVLmaVAaJjU AA7NZhPm1+2DOhixSA5WMGoXKWqTP+0tK0IBnAsbuNt1wKXPgL1f1WKvLdZiy806 ay/XYoFDYHg6oAwYioRoZ4yU4btSSHMwLCXx2nKsBc12zwyXAWmvfSMVTc+UXigm fm1kA4JP5UY5Nt3QsWuwpC6gb6XKtpGvAqccT5GtDai+CdtpKafZSsdM7qfupdy0 tvWzTXwIcAEMw3VTAsJ95pGUDT425jqNEbHPSTfRX5elgl1ahcGSM5FAjs3PdzMS UWAa9kX7+uzY6OOD92Lr57/HbPfBkuNJ9SoagN4AefK+AUFCnmrImw== =t3gQ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:41 PDT