The following workarounds will assist in mitigating threats due to
these vulnerabilities, but cannot completely eliminate the potential for
successful exploitation of the defects. Customers with affected systems are
strongly recommended to upgrade to unaffected, fixed versions of the software
as listed previously in this security advisory. In lieu of upgrading the
software, the following steps may help minimize the risk:
To protect the CSAdmin module from oversized URLs, limit access to the
CiscoSecure ACS server so that only computers with legitimate need can reach it
via the network. This can be accomplished by placing an Access Control List
(ACL) on a router between the CiscoSecure ACS server and the remainder of the
network. In the following example, the CiscoSecure ACS server has an IP address
of 18.104.22.168 and is attached to the Ethernet0 interface of an adjacent router.
The terminal server has an address of 22.214.171.124. Access between the terminal
server and the CiscoSecure ACS server can be prevented by entering config mode
from enable mode and using commands similar to the following partial list of
instructions to create an ACL and apply it to the router's Ethernet0 interface:
access-list 200 permit ip host 126.96.36.199 host 188.8.131.52 eq 49
access-list 200 deny any any log
ip access-group 200 incoming
The CiscoSecure ACS server can be protected from receiving an oversized
TACACS+ packet by applying an ACL on an adjacent router as shown above, or by
implementing access controls on a firewall device that considers the ACS to be
part of its protected network.
An additional method is to ensure that a trusted path exists between
the CiscoSecure ACS for Windows NT Server and the devices that are using it.
This is a prudent measure to prevent sniffing or injection of packets along
Unauthorized enable access due to this defect can be thwarted by
storing the enable password directly on the CiscoSecure ACS for Windows NT
Server itself rather than on the remote LDAP server.