Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0011 -- [Win][Cisco]
Cisco Secure ACS for Windows Downloadable IP Access Control
List Vulnerability
9 January 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Secure Access Control Server for Windows 3.0 to 3.3.3
PIX 6.3
PIX/ASA 7.0
FWSM
VPN3000
Publisher: Cisco Systems
Operating System: Windows
Cisco IOS
Impact: Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2005-4499
Original Bulletin:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml
- --------------------------BEGIN INCLUDED TEXT--------------------
Field Notice: FN - 61965 -
CS ACS for Windows Downloadable IP Access Control List Vulnerability
Document ID: 68484
December 27, 2005
NOTICE:
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY.
YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM
THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE
OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
Product Comments
VPN3000 -
CVPN3002 -
FWSM -
PIX 6.3
ACS - 3.0WN2K -
ACS - 3.1WN2K -
ACS - 3.2WN2K -
ACS - 3.3WN2K Application and Appliance
ASA - 7.0 7.0(1)
Problem Description
The Downloadable IP Access Control List (ACL) feature found in Cisco
Secure Access Control Server (CS ACS) for Windows versions 3.0 through
3.3.3 may allow an unauthorized user to gain network access through
a Remote Access Server or Network Access Server (RAS/NAS).
This issue has been resolved in CS ACS Version 4.0.1 as well as PIX
version 6.3(5), PIX/ASA 7.0(2), Cisco IOS Software Version 12.3(8)T4
and VPN 3000 versions 4.0.5.B and 4.1.5.B. FWSM is under investigation
and while not resolved, there is a workaround to mitigate the issue.
The software fix has rendered the newer version of CS ACS incompatible
with the earlier version of the RAS/NAS software. Customers utilizing
Downloadable IP ACLs who upgrade ACS to versions 4.0.1 or later must
also upgrade any RAS/NAS device software at the same time in order
to resolve this issue.
If the ACS server is upgraded to software version 4.0.1 or later
before the RAS/NAS devices are upgraded, all Downloadable IP ACL
requests will be declined. However, no harm will result to Downloadable
IP ACL functionality if the RAS/NAS devices are upgraded to the new
software before the ACS server software is upgraded. In either case,
normal RADIUS user authentication will not be affected.
Background
CS ACS Server for Windows version 3.0 introduced the Downloadable
PIX ACL feature which allows for user-specific ACLs to be downloaded
to a PIX Firewall. CS ACS Server for Windows version 3.2 broadened
the supported range of RAS/NAS devices to include IOS routers as
well as VPN 3000 concentrators and the feature was renamed to
Downloadable IP ACL.
Communication between the RAS/NAS device and ACS server takes place
using the standard RADIUS (PAP) protocol in a manner very similar
to typical RADIUS user authentication. The ACL name to be downloaded
is placed in the "User-Name" RADIUS attribute but otherwise the
request appears to be a typical user authentication request. When
the ACS server receives the request and determines that the "User-Name"
is one of its configured downloadable IP ACLs it responds with the
ACL content in an "Access-Accept" RADIUS packet.
If a malicious attacker knows the name of a Downloadable IP ACL
configured on the ACS server they may use the name of that ACL as
their user name when prompted to provide credentials by a RAS/NAS.
When the ACS server receives the authentication request from the
RAS/NAS it believes that it is a request to recieve the specified
ACL (rather than a user authentication request) and responds with a
typical RADIUS "Access-Accept" message in addition to the ACL. When
the RAS/NAS receives this response it interprets it to be permission
to access the network and grants the attacker access.
This vulnerability is very unlikely to be exploited for several
reasons in the ACS 3.3.3 code and has been resolved in the 4.0.1
code. However, in order to implement this fix the behavior of
downloadable ACLs was changed and other software had to be updated
to work with this change.
Learning the Downloadable IP ACL names is very difficult:
There are three potential sources where the attacker might find out
the names of existing downloadable ACLs.
1. Sniff the RADIUS traffic between the RAS/NAS and ACS server.
This means that the attacker must have access to the network
traffic between the RAS/NAS and ACS server.
2. Browse the ACS server configuration. For this the attacker
must be an ACS administrator with read privileges or have
otherwise compromised the ACS server. Also, a Downloadable IP
ACL name shown on the ACS user interface is different from the
"User-name" sent by the device. The attacker also must understand
the how the time stamp is built as well as the exact server
machine time at which the ACL was last edited in order to
properly determine the exact "User-name" to be used.
3. Browse the RAS/NAS server configuration. Run the show run or
similar command on RAS/NAS device in enabled mode to determine
the names of all downloadable ACLs in use. Similar to the above
condition, the attacker must be a RAS/NAS administrator with
read priviliages or have otherwise compromised the RAS/NAS
server.
The Downloadable IP ACL names changes dynamically:
1. Editing the Downloadable IP ACLs on the ACS server even if no
change is made will result in a new ACL name being generated.
2. Re-starting the CSRadius (ACS) service will purge the cache
of all downloadable ACL names and force all ACLs to be renamed.
Problem Symptoms
If appropriate levels of AAA logging are enabled on the RAS/NAS
devices and/or ACS server then the use of Downloadable IP ACL names
as user names may be clearly identified. AAA log entries for the
RAS/NAS device as well as "passed authentication" log entries on the
ACS server would indicate that a user with a username based on a
Downloadable IP ACL requested and was granted network access.
Note: The user name utilized by the Downloadable IP ACL feature
contains more characters than the name used for the ACL in the ACS
management screen. It is preceeded by an ACS ACL identifier string
and followed by date and time stamp information. For example, a
Downloadable IP ACL created on the ACS Server with the name "IP-test"
will result in a user name such as "#ACSACL#-IP-test-40d050cd". AAA
logs containing passed authenticaion entries with user names formatted
like this are a clear indication that this issue has been exploited.
Below is a sample ACS "passed authentication" log with one entry
showing a Downloadable IP ACL user authentication in .csv format:
Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,NAS-Port,NAS-IP-Address
02/08/2005,15:56:17,Authen OK,#ACSACL#-IP-test-40d050cd,Default Group,,,192.168.254.252
If the ACS server is upgraded to SW version 4.0.1 or later before
the RAS/NAS devices are upgraded as well, all Downloadable IP ACL
requests will be declined. However, no harm will result to Downloadable
IP ACL functionality if the RAS/NAS devices are upgraded to the new
software first. In either case, normal RADIUS user authentication
will not be affected.
Workaround/Solution
For VPN3000, FWSM, PIX, and ASA RADIUS, access-lists using the Cisco
AV Pair can be used instead of Cisco downloadable IP access-lists.
This Workaround is detailed under the specific product DDTS's.
For IOS, The only workaround is to disable the Downloadable IP ACL
feature. This will prevent the ACS from authorizing users with names
equivalent to Downloadable IP ACLs. RADIUS access-lists using the
Cisco AV pair are not a workaround for this issue.
If the ACS server is upgraded to SW version 4.0.1 or later before
the RAS/NAS devices are upgraded, all Downloadable IP ACL requests
will be declined. However, no harm will result to Downloadable IP
ACL functionality if the RAS/NAS devices are upgraded to the new
software before the ACS server software is upgraded. In either case,
normal RADIUS user authentication will not be affected.
The solution is to upgrade both the ACS server as well as all RAS/NAS
devices to the software releases that include the fix. In the newer
software releases the Downloadable IP ACL RADIUS requests have been
modified so that they may be distinguished from normal user
authentication requests.
If the ACS server is upgraded to software version 4.0.1 or later
before the RAS/NAS devices are upgraded, all Downloadable IP ACL
requests will be declined. However, no harm will result to Downloadable
IP ACL functionality if the RAS/NAS devices are upgraded to the new
software before the ACS server software is upgraded. In either case,
normal RADIUS user authentication will not be affected.
DDTS
To follow the bug ID link below and see detailed bug information,
you must be a registered user and you must be logged in.
DDTS Description
CSCin79018 (registered IOS: Potential ACL vulnerability in downloadable ACL
customers only) functionality integrated in 12.3(08)T04 and 12.3(10.02)T
CSCsc89235 (registered FWSM - Add support for new RADIUS VSA to mitigate
customers only) downloadable ACL issue
CSCeh22447 (registered ASA - Add support for new RADIUS VSA to mitigate
customers only) downloadable ACL issue
CSCee92021 (registered VPN 3000: Fix needed for Downloadable ACL security fix
customers only) w/ ACS integrated in 04.7(00) REL 04.0(05)B 04.1(05)B
CSCef21184 (registered PIX: Add support for new RADIUS VSA to mitigate
customers only) downloadable ACL issue. Integrated in 7.0.4
Revision History
Revision Date Comment
Revision 1.0 27-Dec-2005 Initial public release.
For More Information
If you require further assistance, or if you have any further questions
regarding this field notice, please contact the Cisco Systems Technical
Assistance Center (TAC) by one of the following methods:
* Open a service request on Cisco.com
* By email
* By telephone
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about
reliability, safety, network security, and end-of-sale issues for
the Cisco products you specify.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ8IDSSh9+71yA2DNAQJB3AP9H0Mt9q8lKK8Tcn0ZsTtwhT3htF93w2nw
cg76e8HHwvP5gY/oaZ24FVK2jlqNORZsy3mxx4CBt74MesaMVVt/stSnNRxknKmM
XGnYTqzf0MDZuac9pc7+xtmKLVoxAcSBk7TixXtLgz7x4KlTD6KBmmg0AXZbQfA9
BQxDrSaYlNg=
=GxoD
-----END PGP SIGNATURE-----