Normally two Cisco security advisories would warrant a "One-liner" of their existence, with URLs pointing to them. In this case eagle eye fellow handler Daniel noticed some of the wording in one of them. Its name is "Cisco Secure Access Control System Unauthorized Password Change Vulnerability" and it lives at: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml

This is the summary: "A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store. "

So essentially pretty much anyone can change anyone elses password, any time they feel like it, as long as they know the user account. So far so good. The interesting part comes next: "This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password."

So, hypothetically speaking if I knew a user account, changed its password to one only I knew, could I not then start changing stuff? I would suppose that the account I changed would have to have privileges to make changes. Therefore, it must be impossible to guess or find any accounts that are able to make changes? There are some caveats: "This vulnerability cannot be used to change the password for the following types of users accounts:

• User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server
• System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface
• Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command"

So which accounts does that leave that may be able to make changes?

The other advisory summary "Cisco Network Access Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network. " is here: http://www.cisco.com/warp/public/707/cisco-sa-20110330-nac.shtml

Update:  Cisco PSIRT have provided the following information. Only users configured on one of the ACS internal identity stores are vulnerable. Users configured for administration of the ACS are not vulnerable. Users configured on external identity stores are not vulnerable.

Comments?

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.