-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.0352.2
      Cisco Secure Access Control System SQL Injection Vulnerability
                               13 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Secure Access Control System
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0580  

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs

Revision History:  March    13 2015: Updated vulnerable release number
                   February 12 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Secure Access Control System SQL Injection Vulnerability

Advisory ID: cisco-sa-20150211-csacs

Revision 2.0

For Public Release 2015 February 11 16:00  UTC (GMT)
Last Updated  2015 March 11 19:34  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Secure Access Control System (ACS) prior to version 5.5 patch 8 is vulnerable to a SQL injection
attack in the ACS View reporting interface pages. A successful attack could allow an authenticated, 
remote attacker to access and modify information such as RADIUS accounting records stored in one of 
the ACS View databases or to access information in the underlying file system. A previous version of 
this advisory indicated that a product running version 5.5 patch 7 was not vulnerable; however, 
customers running version 5.5 patch 7 should upgrade to patch 8 to completely mitigate the 
vulnerability described in this advisory.

Cisco has released free software updates that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVQCdtIpI1I6i1Mx3AQL8Qw//XbvxV5C6/9G1jCcpl5xlmfE0h3sKvDkl
SXi1zpjf0U1KFQF8mP3LZbP8AM2BXm6jvOHw78ePjAEEKy7oxEZ3YxoM+HU5vWxQ
7KH/Oe56AxlRohai1JUOrmcAudS/QfpDloi8rpBjCtXq0uEhm7yg66jddw0evLqK
MM4N8y2/5Pi+3AwXzL2rqWylrr0UzuXLhCBz16/mUBiXkxWhkYBkt64aUTx9nLP8
ME0A9w0wqnCAn0WN+DLOJ+CyvQ0hiMFB5msfRa9S4Sr1qkrkYvS9Un3tAtrxq0ZZ
gJ98sNFQ7Da9nsfng63tAdSL7VlYs7pgV9r6paMjMYrtZl6arFWBBiOgzKwcCyG2
D5neX6zWXGsg617SdCHbQBb1o4GcFSbBFxEK+AQQ+TspeTNCnOEYwkt/h8rtB24L
X8NTDT8NtuntuY5LZcTXQxM8lWWxKtcJVNuO2DjutmSwTZgK+TImFVQ18v1epRAB
qyzEKVHJfGO5qiBexm7XIHxDXejEolkY9Sh9UQO0qGOxgC17TROrqv1FIsxEqcn9
YLn1iA1V3tH0HLsXo4LOD7ufqLUPgZwTspMRy0rO0XMkZFzlGNLRqwYu9yfneGZR
6FDUG76UdcIRRtumDn2pGYzE4V/YyDfDOzJiUIq8riRTD4977YioaTdnEyJepenm
7LJmxDQ8hIc=
=D/X8
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVQJSJhLndAQH1ShLAQKhVhAAvMMDWoLNL8lKgNl2Nciws/y6fVjrvLQq
UXFHinblyPfC+l4YeeZBRJZ3pb4rITtPcRzN9d6S2sYVQAzeRWjL2jjc0sxEc74N
OUO4p4TnoDYlPZe6eY4OyRUTG6yWkkTgKuKxwQYEvTPI5k5CSbVdZCaN6AuE9Ck/
HBMC/4rlJRDhuzivJYVYF5U/Ctk7kcpa5tu2lGdb59GtNHq6PPvubsDMMEXfF+FA
bXgX+7l8MA7HrXkmhQHTBURigeVUhn+ek7JJtm2OQXL3RxYzZEl7MDtCjJzqtiCA
qFcLkw8jgYyGTwAH3P7fuzPx7CYY+XXkT8W3+ojldKTHcVz4bNre+u3BmAEgzWMF
NIaet2ixAs9aOtbAF2eXWzFMBRBSrjr4MhKbU0gc8QkNeRAvPJ2xlD9emlT0Ev6H
DSL4lq8VFby9NQamSxxNdfNlHBaO83v8MQVuoEsCMY/NTESS01GmycZ3Xp6w9pwt
bg136pMx6egL79tWHUre6on27x7caCND0xgzAmVCLZSOn/UREwGhUTDFr7MQs5fA
fPDZ/kCLmG2/w/ACODXZ46/6QD7niVMxc5ZMJtxLUCR8kHKTkleYaWPEChK0iJyH
/dJXqRLluP5C9JhADtaVHXHdVMDlQgw6Gi45S/TS5rq/5/+mlp52HZFDXWMmrMeX
cLE6Fkycwu8=
=EtZX
-----END PGP SIGNATURE-----