Two Cisco advisories: cisco-sa-20110330-nac and cisco-sa-20110330-acs
Normally two Cisco security advisories would warrant a "One-liner" of their existence, with URLs pointing to them. In this case eagle eye fellow handler Daniel noticed some of the wording in one of them. Its name is "Cisco Secure Access Control System Unauthorized Password Change Vulnerability" and it lives at: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml
This is the summary: "A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store. "
So essentially pretty much anyone can change anyone elses password, any time they feel like it, as long as they know the user account. So far so good. The interesting part comes next: "This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password."
So, hypothetically speaking if I knew a user account, changed its password to one only I knew, could I not then start changing stuff? I would suppose that the account I changed would have to have privileges to make changes. Therefore, it must be impossible to guess or find any accounts that are able to make changes? There are some caveats: "This vulnerability cannot be used to change the password for the following types of users accounts:
- User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server
- System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface
- Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command"
So which accounts does that leave that may be able to make changes?
The other advisory summary "Cisco Network Access Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network. " is here: http://www.cisco.com/warp/public/707/cisco-sa-20110330-nac.shtml
Update: Cisco PSIRT have provided the following information. Only users configured on one of the ACS internal identity stores are vulnerable. Users configured for administration of the ACS are not vulnerable. Users configured on external identity stores are not vulnerable.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago