Re: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access

Well, that sure was informative.

My questions to what the advisory means are below. Can anyone answer or
correct this at all?

On 1/3/07, Cisco Systems Product Security Incident Response Team <> wrote:


Unchangeable Shared Secret

In order for Cisco Clean Access Manager (CAM) to authenticate to a
Cisco Clean Access Server (CAS), both CAM and CAS must have the same
shared secret. The shared secret is configured during the initial CAM
and CAS setup. Due to this vulnerability the shared secret can not be
properly set nor be changed, and it will be the same across all
affected devices. In order to exploit this vulnerability the
adversary must be able to establish a TCP connection to CAS.

So, other than making a TCP connection to the box, what does the attacker
need? Do they need to get the shared secret off some other box in the same
administrative domain? How is that shared secret protected, is it stored
anywhere else an attacker might have easier access to (e.g. on Clean
Access-managed clients, on the 'readable snapshots' below)?

Unchangeable Shared Secret

Successful exploitation of the vulnerability may enable a malicious
user to effectively take administrative control of a CAS. After that,
every aspect of CAS can be changed including its configuration and

For "may", presumably we should read "would, unless the he suddenly fell
asleep at the last minute"? Or are there some additional barriers to taking
advantage of a successful exploit?

Readable Snapshots

Manual backups of the database ('snapshots') taken on CAM are
susceptible to brute force download attacks. A malicious user can
guess the file name and download it without authentication. The file
itself is not encrypted or otherwise protected.

Readable Snapshots

The snapshot contains sensitive information that can aide in the
attempts, or be used to compromise the CAM. Among other things, the
snapshot can contain passwords in cleartext. Starting with the
release 3.6.0, passwords are no longer stored in cleartext in the
snapshot files.

So, I read this to mean, the snapshot files are still downloadable without
authentication, still have easily guessable names, and still contain
sensitive information that can aid in an attack (what sensitive
information?), but now the attacker has password hashes against which he has
to do a three hour offline brute force, or perhaps a twenty second rainbow
table lookup, rather than getting the plaintext straight off.

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -