Cisco Secure Access Control Server (ACS) provides centralized identity
management and policy enforcement for Cisco devices.
registered customers only)
-- Cisco Secure ACS
Administrator Password Remote Retrieval and Decryption.
A person with administrative access to the Windows registry of a system
running Cisco Secure ACS 3.x for Windows can decrypt the passwords of all ACS
Cisco Secure ACS 3.x for Windows stores the passwords of ACS
administrators in the Windows registry in an encrypted format. A locally
generated master key is used to encrypt/decrypt the ACS administrator
passwords. The master key is also stored in the Windows registry in an
encrypted format. Using Microsoft cryptographic routines, it is possible for a
user with administrative privileges to a system running Cisco Secure ACS to
obtain the clear-text version of the master key. With the master key, the user
can decrypt and obtain the clear-text passwords for all ACS administrators.
With administrative credentials to Cisco Secure ACS, it is possible to change
the password for any locally defined users. This may be used to gain access to
network devices configured to use Cisco Secure ACS for authentication.
If remote registry access is enabled on a system running Cisco Secure
ACS, it is possible for a user with administrative privileges (typically domain
administrators) to exploit this vulnerability.
If Cisco Secure ACS is configured to use an external authentication
service such as Windows Active Directory / Domains or LDAP, the passwords for
users stored by those services are not at risk to compromise via this
This vulnerability only affects version 3.x of Cisco Secure ACS for
Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco Secure ACS for UNIX are
not vulnerable. Cisco Secure ACS 3.x appliances do not permit local or remote
Windows registry access and are not vulnerable.
It is possible to mitigate this vulnerability by restricting access to
the registry key containing the ACS administrators' passwords. One feature of
Windows operating systems is the ability to modify the permissions of a
registry key to remove access even for local or domain administrators. Using
this feature, the registry key containing the ACS administrators' passwords can
be restricted to only the Windows users with a need to maintain the ACS
installation or operate the ACS services.
The following registry key and all of its sub-keys need to be
Note: The "CiscoAAAv3.3" portion of the registry key path may differ
slightly depending on the version of Cisco Secure ACS for Windows that is
There are two general deployment scenarios for Cisco Secure ACS. The
Windows users that need permissions to the registry key will depend on the
If Cisco Secure ACS is not installed on a Windows domain controller,
access to the registry key should be limited to only the local Windows SYSTEM
account and specific local/domain administrators who will be performing
software maintenance on the ACS installation.
If Cisco Secure ACS is installed on a Windows domain controller,
access to the registry key should be limited to the domain account which ACS is
configured to use for its services, the local Windows SYSTEM account and
specific local / domain administrators who will be performing software
maintenance on the ACS installation.
For information about editing the Windows registry, please consult the
following Microsoft documentation.
"Description of the Microsoft Windows registry":
Further mitigation against remote exploitation can be achieved by
restricting access to authorized users or disabling remote access to the
Windows registry on systems running Cisco Secure ACS for Windows. For
information on restricting remote registry access, please consult the following
"How to restrict access to the registry from a remote computer":
"How to Manage Remote Access to the Registry":