Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0011 -- [Win][Cisco] Cisco Secure ACS for Windows Downloadable IP Access Control List Vulnerability 9 January 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Secure Access Control Server for Windows 3.0 to 3.3.3 PIX 6.3 PIX/ASA 7.0 FWSM VPN3000 Publisher: Cisco Systems Operating System: Windows Cisco IOS Impact: Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2005-4499 Original Bulletin: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml - --------------------------BEGIN INCLUDED TEXT-------------------- Field Notice: FN - 61965 - CS ACS for Windows Downloadable IP Access Control List Vulnerability Document ID: 68484 December 27, 2005 NOTICE: THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME. Products Affected Product Comments VPN3000 - CVPN3002 - FWSM - PIX 6.3 ACS - 3.0WN2K - ACS - 3.1WN2K - ACS - 3.2WN2K - ACS - 3.3WN2K Application and Appliance ASA - 7.0 7.0(1) Problem Description The Downloadable IP Access Control List (ACL) feature found in Cisco Secure Access Control Server (CS ACS) for Windows versions 3.0 through 3.3.3 may allow an unauthorized user to gain network access through a Remote Access Server or Network Access Server (RAS/NAS). This issue has been resolved in CS ACS Version 4.0.1 as well as PIX version 6.3(5), PIX/ASA 7.0(2), Cisco IOS Software Version 12.3(8)T4 and VPN 3000 versions 4.0.5.B and 4.1.5.B. FWSM is under investigation and while not resolved, there is a workaround to mitigate the issue. The software fix has rendered the newer version of CS ACS incompatible with the earlier version of the RAS/NAS software. Customers utilizing Downloadable IP ACLs who upgrade ACS to versions 4.0.1 or later must also upgrade any RAS/NAS device software at the same time in order to resolve this issue. If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected. Background CS ACS Server for Windows version 3.0 introduced the Downloadable PIX ACL feature which allows for user-specific ACLs to be downloaded to a PIX Firewall. CS ACS Server for Windows version 3.2 broadened the supported range of RAS/NAS devices to include IOS routers as well as VPN 3000 concentrators and the feature was renamed to Downloadable IP ACL. Communication between the RAS/NAS device and ACS server takes place using the standard RADIUS (PAP) protocol in a manner very similar to typical RADIUS user authentication. The ACL name to be downloaded is placed in the "User-Name" RADIUS attribute but otherwise the request appears to be a typical user authentication request. When the ACS server receives the request and determines that the "User-Name" is one of its configured downloadable IP ACLs it responds with the ACL content in an "Access-Accept" RADIUS packet. If a malicious attacker knows the name of a Downloadable IP ACL configured on the ACS server they may use the name of that ACL as their user name when prompted to provide credentials by a RAS/NAS. When the ACS server receives the authentication request from the RAS/NAS it believes that it is a request to recieve the specified ACL (rather than a user authentication request) and responds with a typical RADIUS "Access-Accept" message in addition to the ACL. When the RAS/NAS receives this response it interprets it to be permission to access the network and grants the attacker access. This vulnerability is very unlikely to be exploited for several reasons in the ACS 3.3.3 code and has been resolved in the 4.0.1 code. However, in order to implement this fix the behavior of downloadable ACLs was changed and other software had to be updated to work with this change. Learning the Downloadable IP ACL names is very difficult: There are three potential sources where the attacker might find out the names of existing downloadable ACLs. 1. Sniff the RADIUS traffic between the RAS/NAS and ACS server. This means that the attacker must have access to the network traffic between the RAS/NAS and ACS server. 2. Browse the ACS server configuration. For this the attacker must be an ACS administrator with read privileges or have otherwise compromised the ACS server. Also, a Downloadable IP ACL name shown on the ACS user interface is different from the "User-name" sent by the device. The attacker also must understand the how the time stamp is built as well as the exact server machine time at which the ACL was last edited in order to properly determine the exact "User-name" to be used. 3. Browse the RAS/NAS server configuration. Run the show run or similar command on RAS/NAS device in enabled mode to determine the names of all downloadable ACLs in use. Similar to the above condition, the attacker must be a RAS/NAS administrator with read priviliages or have otherwise compromised the RAS/NAS server. The Downloadable IP ACL names changes dynamically: 1. Editing the Downloadable IP ACLs on the ACS server even if no change is made will result in a new ACL name being generated. 2. Re-starting the CSRadius (ACS) service will purge the cache of all downloadable ACL names and force all ACLs to be renamed. Problem Symptoms If appropriate levels of AAA logging are enabled on the RAS/NAS devices and/or ACS server then the use of Downloadable IP ACL names as user names may be clearly identified. AAA log entries for the RAS/NAS device as well as "passed authentication" log entries on the ACS server would indicate that a user with a username based on a Downloadable IP ACL requested and was granted network access. Note: The user name utilized by the Downloadable IP ACL feature contains more characters than the name used for the ACL in the ACS management screen. It is preceeded by an ACS ACL identifier string and followed by date and time stamp information. For example, a Downloadable IP ACL created on the ACS Server with the name "IP-test" will result in a user name such as "#ACSACL#-IP-test-40d050cd". AAA logs containing passed authenticaion entries with user names formatted like this are a clear indication that this issue has been exploited. Below is a sample ACS "passed authentication" log with one entry showing a Downloadable IP ACL user authentication in .csv format: Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,NAS-Port,NAS-IP-Address 02/08/2005,15:56:17,Authen OK,#ACSACL#-IP-test-40d050cd,Default Group,,,192.168.254.252 If the ACS server is upgraded to SW version 4.0.1 or later before the RAS/NAS devices are upgraded as well, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software first. In either case, normal RADIUS user authentication will not be affected. Workaround/Solution For VPN3000, FWSM, PIX, and ASA RADIUS, access-lists using the Cisco AV Pair can be used instead of Cisco downloadable IP access-lists. This Workaround is detailed under the specific product DDTS's. For IOS, The only workaround is to disable the Downloadable IP ACL feature. This will prevent the ACS from authorizing users with names equivalent to Downloadable IP ACLs. RADIUS access-lists using the Cisco AV pair are not a workaround for this issue. If the ACS server is upgraded to SW version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected. The solution is to upgrade both the ACS server as well as all RAS/NAS devices to the software releases that include the fix. In the newer software releases the Downloadable IP ACL RADIUS requests have been modified so that they may be distinguished from normal user authentication requests. If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected. DDTS To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in. DDTS Description CSCin79018 (registered IOS: Potential ACL vulnerability in downloadable ACL customers only) functionality integrated in 12.3(08)T04 and 12.3(10.02)T CSCsc89235 (registered FWSM - Add support for new RADIUS VSA to mitigate customers only) downloadable ACL issue CSCeh22447 (registered ASA - Add support for new RADIUS VSA to mitigate customers only) downloadable ACL issue CSCee92021 (registered VPN 3000: Fix needed for Downloadable ACL security fix customers only) w/ ACS integrated in 04.7(00) REL 04.0(05)B 04.1(05)B CSCef21184 (registered PIX: Add support for new RADIUS VSA to mitigate customers only) downloadable ACL issue. Integrated in 7.0.4 Revision History Revision Date Comment Revision 1.0 27-Dec-2005 Initial public release. For More Information If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: * Open a service request on Cisco.com * By email * By telephone Receive Email Notification For New Field Notices Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQ8IDSSh9+71yA2DNAQJB3AP9H0Mt9q8lKK8Tcn0ZsTtwhT3htF93w2nw cg76e8HHwvP5gY/oaZ24FVK2jlqNORZsy3mxx4CBt74MesaMVVt/stSnNRxknKmM XGnYTqzf0MDZuac9pc7+xtmKLVoxAcSBk7TixXtLgz7x4KlTD6KBmmg0AXZbQfA9 BQxDrSaYlNg= =GxoD -----END PGP SIGNATURE-----