Two Cisco advisories: cisco-sa-20110330-nac and cisco-sa-20110330-acs

Published: 2011-03-30
Last Updated: 2011-04-01 14:38:48 UTC
by Adrien de Beaupre (Version: 2)
2 comment(s)

Normally two Cisco security advisories would warrant a "One-liner" of their existence, with URLs pointing to them. In this case eagle eye fellow handler Daniel noticed some of the wording in one of them. Its name is "Cisco Secure Access Control System Unauthorized Password Change Vulnerability" and it lives at:

This is the summary: "A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store. "

So essentially pretty much anyone can change anyone elses password, any time they feel like it, as long as they know the user account. So far so good. The interesting part comes next: "This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password."

So, hypothetically speaking if I knew a user account, changed its password to one only I knew, could I not then start changing stuff? I would suppose that the account I changed would have to have privileges to make changes. Therefore, it must be impossible to guess or find any accounts that are able to make changes? There are some caveats: "This vulnerability cannot be used to change the password for the following types of users accounts:

  • User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server
  • System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface
  • Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command"

So which accounts does that leave that may be able to make changes?

The other advisory summary "Cisco Network Access Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network. " is here:

Update:  Cisco PSIRT have provided the following information. Only users configured on one of the ACS internal identity stores are vulnerable. Users configured for administration of the ACS are not vulnerable. Users configured on external identity stores are not vulnerable.


Adrien de Beaupré Inc.


2 comment(s)


"So which accounts does that leave that may be able to make changes?"

As the ACS can be used as a RADIUS or TACACS+ server to store VPN user accounts, admin accounts for network hardware, application user accounts and many other types of accounts. For sites that are using single-factor password authentication, an attacker might gain VPN access to internal networks and/or to accounts used to manage servers, routers, switches, firewalls etc. or accounts that have access to confidential information.

Of course this is just my understanding, based on the information in the vulnerability announcement. Does anyone else see it differently?
That's my understanding as well. The accounts vulnerable are all the accounts that could be authenticated through the RADIUS service, except ACS system accounts and accounts stored in external databases.
That's a lot for those who use RADIUS consistently.

Diary Archives