Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Response

Cisco Secure ACS Denial Of Service Vulnerability

Document ID: 572

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20080903-csacs

Revision 1.0

For Public Release 2008  September  3 16 : 00  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

This is the Cisco PSIRT response to the statements made by Laurent Butti and Gabriel Campana of Orange Labs / France Telecom Group, in their advisory: "Cisco Secure ACS EAP Parsing Vulnerability". The original advisory is available at:

http://www.securityfocus.com/archive/1/495937/30/0/threaded leavingcisco.com

A specially crafted Remote Authentication Dial In User Service (RADIUS) Extensible Authentication Protocol (EAP) Message Attribute packet sent to the Cisco Secure Access Control Server (ACS) can crash the CSRadius and CSAuth processes of Cisco Secure ACS. Because this affects CSAuth all authentication requests via RADIUS or TACACS+ will be affected during exploitation of this vulnerability.

Cisco ACS installations that are configured with AAA Clients to authenticate using TACACS+ only are not affected by this vulnerability.

The RADIUS shared secret and a valid known Network Access Server (NAS) IP address must be known to carry out this exploit.

The Cisco PSIRT team greatly appreciates the opportunity to work with researchers on security vulnerabilities, and we welcome the opportunity to review and assist in product reports. We thank Laurent Butti and Gabriel Campana of Orange Labs / France Telecom Group for reporting this vulnerability to Cisco PSIRT.

Software patches are available for customers with support contracts and should be obtained through their regular support channels. The upgrade to fixed software is not a free upgrade. See Software Versions and Fixes section within this advisory for further information on obtaining fixed software.

Additional Information

Cisco Secure ACS provides a comprehensive, identity-based access control solution for Cisco intelligent information networks. It is the integration and control layer for managing enterprise network users, administrators, and the resources of the network infrastructure.

Described in RFC2865 leavingcisco.com, RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication requests to a central RADIUS server (Cisco Secure ACS) that contains all user authentication and network service access information.

Described in RFC3748 leavingcisco.com, EAP is an authentication framework that supports multiple authentication methods. Typically, EAP runs directly over data link layers, such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP.

All versions of Cisco Secure ACS for Windows (ACS) and the Cisco Secure ACS Solution Engine (ACSE) prior to the fixed software versions listed in this Response are affected by this vulnerability. Cisco Secure ACS Express, Cisco Secure for Unix and Cisco Access Register are not affected by this vulnerability.

A specially crafted RADIUS EAP Message Attribute packet will crash the CSRadius and CSAuth services. An error message will be indicated in the Windows event viewer - System Log indicating "The CSAuth service terminated unexpectedly" and "The CSRadius service terminated unexpectedly". In the Cisco ACS Reports and Activity tab, under ACS Service Monitoring, the logs will indicate CSAuth is not running and attempts to restart.

The CSRadius service handles communication between the service for authentication and authorization (CSAuth service) and the access device requesting the authentication and authorization services for RADIUS.

Continued exploitation of this vulnerability will prevent Cisco Secure ACS from processing all authentication and authorization requests via RADIUS or TACACS+. In many cases continued exploitation will prevent network access to devices which first require authentication or authorization via the AAA Server.

This vulnerability is documented in Cisco bug ID CSCsq10103 ( registered customers only) and Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2441 has been assigned to this vulnerability.

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

Affected Release

First Fixed Release

3.X.Y

Release 3.3(4) Build 12 patch 8 or later

4.0.X

Vulnerable; Contact TAC

4.1.X

Release 4.1(4) Build 13 Patch 11 or later

4.2.X

Release 4.2(0) Build 124 Patch 4 or later

The fixed software for Cisco Secure ACS for Windows (ACS) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des

The fixed software for Cisco Secure ACS Solution Engine (ACSE) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2

The first fixed release files names are indicated below:

 

3.x cumulative patch

4.1 cumulative patch

4.2 cumulative patch

CS ACS for Windows

Acs-3.3.4.12.8-SW.zip

Acs-4.1.4.13.11-SW.zip

ACS-4.2.0.124.4-SW.zip

CS ACS Solution Engine

applAcs-3.3.4.12.7.zip

applAcs_4.1.4.13.11.zip

applAcs_4.2.0.124.4.zip

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 1.0

2008-September-03

Initial Public Release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version