January 5, 2007 10:11 AM PST
Cisco network tools vulnerable to attack
Cisco NAC Appliance, which verifies that external devices attempting to log on to a company network are compliant with security policy, contains two flaws that an attacker could use to gain control of the devices or compromise sensitive information, including passwords.
The NAC Appliance includes software that can automatically detect, isolate and clean infected or vulnerable devices that attempt to access a network. Clean Access consists of two applications that work in tandem--Clean Access Manager (CAM) and Clean Access Server (CAS).
For the CAM to authenticate to the CAS, each holds a "shared secret"--pieces of information which, when combined, allow authentication to occur. It appears, though, that this system is flawed in older versions of the software.
According to the Cisco advisory, the vulnerability--called "unchangeable shared secret"--means the shared secret cannot be properly set or changed during setup. This also means that the shared secret will be the same across all affected devices, which drastically reduces its cryptographic effectiveness.
To exploit this vulnerability, the adversary must first be able to establish a TCP (transmission control protocol) connection to the CAS.
Successful exploitation of the unchangeable shared secret vulnerability may enable a malicious user to take administrative control of a CAS, Cisco said. After that, every aspect of CAS can be changed, including its configuration and setup.
Versions affected by this vulnerability are CCA releases 3.6.x to 184.108.40.206 and releases 4.0.x to 220.127.116.11.
Releases that contain the fix for this vulnerability are 18.104.22.168, 4.0.4 and 4.1.0. All subsequent releases already contain a fix.
An alternative is to install patch Patch-CSCsg24153.tar.gz, which is available from Cisco's Web site.
The second vulnerability, called "readable snapshots," means that manual backups of the database--or "snapshots"--taken on the CAM are susceptible to brute-force download attacks. A malicious user can guess the file name and download it without authentication. The file itself is not encrypted or otherwise protected.
The snapshot contains sensitive information that can aid in attacks on the CAS, or can be used to compromise the CAM. Among other things, the snapshot can contain passwords in unencrypted "cleartext."
Versions affected by the readable snapshots vulnerability are CCA releases 3.5.x to 3.5.9 and releases 3.6.x to 22.214.171.124.
Releases that contain the fix for this vulnerability are 3.5.10 and 3.6.2. All subsequent releases will contain the fix, Cisco said.
No patch is available for the readable snapshots vulnerability, but a workaround is possible by removing snapshot files from the device shortly after they are created. If the snapshot file needs to be preserved, then it can be moved to a different computer or archived on a secondary storage, Cisco said. Alternatively, the snapshot file can be deleted from the device.
There are currently no known exploits for either vulnerability. The Cisco Product Security Incident Response Team said it is not aware of any public announcements or malicious use of the vulnerabilities.
The readable snapshot issue was reported to Cisco by Chris Hartley, a security specialist in Ohio State University's computer science program. The unchangeable shared secret was discovered while working on a Cisco customer's case and is unrelated to Hartley's report, the networking company said.
Tom Espiner of ZDNet UK reported from London.