Flaw Found In Cisco Secure Access Control Server

Secure ACS, an identity networking solution that simplifies user management by combining authentication, user and administrator access, and policy control, includes a flaw that could enable attackers to gain administrative access to the Web-based interface used to manage network devices, according to independent security researcher Darren Bounds, who revealed the flaw in a post to the Full Disclosure security mailing list last week.

Secure ACS is essentially the hub of Cisco's NAC framework and it relies heavily on the ability of the user and endpoints to authenticate against a central directory, Bounds said. "Ultimately, compromising Secure ACS grants you administrative access to any devices that the server is responsible for authenticating," said Bounds.

The flaw is "fairly trivial" to exploit because the information to exploit it can be easily acquired and may already exist in some circumstances, Bounds said. For example, many companies handle access to the Secure ACS through a proxy, which means all clients have the same IP address, he noted.

To exploit the flaw, attackers also need to find out which dynamic port is being leveraged by the ACS server for administration purposes, and that information is easy to predict because the current implementation of Secure ACS uses automatic port allocation, Bounds said.

id
unit-1659132512259
type
Sponsored post

"It's very easy to determine if an administrator is logged in to determine what port they're using," Bounds said. And because there are only about 65,000 port combinations, attackers could also just run through all the ports to find the one they need, he added.

To mitigate the threat, Chris Labatt-Simon, president and CEO of D&D Consulting, an Albany, N.Y.-based solution provider, recommends that companies use more security on their boxes and not allow access to Secure ACS from proxy servers. "We're advising our customers to restrict the number of IP addresses that have access to the box and to sign in and out as quickly as possible, which will minimize the window of exposure," said Labatt-Simon.

Symantec, in an advisory sent to customers of its DeepSight Threat Management System Monday, recommended blocking external access at the network boundary and adding an extra layer of authentication, such as a VPN, to all network communications involving Secure ACS.

In a statement issued June 23, Cisco's Product Security Incident Response Team (PSRIT) said it is investigating the vulnerability.

Updated June 27 at 6:15 PM EDT.