Re: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access

Hello Mark,

Sorry for this belated response.

On Thu, Jan 04, 2007 at 11:59:34AM -0700, Mark Senior wrote:
Well, that sure was informative.

My questions to what the advisory means are below. Can anyone answer or
correct this at all?

I am the person who wrote this advisory so maybe I can help here.

Unchangeable Shared Secret

In order for Cisco Clean Access Manager (CAM) to authenticate to a
Cisco Clean Access Server (CAS), both CAM and CAS must have the same
shared secret. The shared secret is configured during the initial CAM
and CAS setup. Due to this vulnerability the shared secret can not be
properly set nor be changed, and it will be the same across all
affected devices. In order to exploit this vulnerability the
adversary must be able to establish a TCP connection to CAS.

So, other than making a TCP connection to the box, what does the attacker
need? Do they need to get the shared secret off some other box in the same
administrative domain? How is that shared secret protected, is it stored
anywhere else an attacker might have easier access to (e.g. on Clean
Access-managed clients, on the 'readable snapshots' below)?

Being able to establish a TCP connection is the first requirement. After
doing so the attacker will be able to talk to CAS and instruct it to do
whatever (s)he wants it to do. Just finishing three way handshake is not
sufficent to exploit this.

I do not have answer if this is also stored in clients. Will verify and
get back to you later.

Unchangeable Shared Secret

Successful exploitation of the vulnerability may enable a malicious
user to effectively take administrative control of a CAS. After that,
every aspect of CAS can be changed including its configuration and

For "may", presumably we should read "would, unless the he suddenly fell
asleep at the last minute"? Or are there some additional barriers to taking
advantage of a successful exploit?

It is "may" because if you run software release 3.6.1 then your passwords
are encrypted but you are still affected by both of these issues. On the
other hand, if you are using version 3.5.8 then your passwords are not
stored encrypted.

Readable Snapshots

The snapshot contains sensitive information that can aide in the
attempts, or be used to compromise the CAM. Among other things, the
snapshot can contain passwords in cleartext. Starting with the
release 3.6.0, passwords are no longer stored in cleartext in the
snapshot files.

So, I read this to mean, the snapshot files are still downloadable without
authentication, still have easily guessable names, and still contain

Not quite. You can not read snapshot files without authentication if you
are running fixed software (3.5.10 and 3.6.2 and onwards).

sensitive information that can aid in an attack (what sensitive
information?), but now the attacker has password hashes against which he has

Information like web server version can aide in an attempt to compromise
a device.

to do a three hour offline brute force, or perhaps a twenty second rainbow
table lookup, rather than getting the plaintext straight off.

You are assuming that we are using the same format as LM. If we would do
so, then you would be correct that the hash can be cracked in few seconds
by using rainbow tables. We do not use LM format.

It is alwasy possible to crack the password using brute force but we hope
that users are using passwords sufficently long to make this process too
time consuming.



Damir Rajnovic <psirt@xxxxxxxxx>, PSIRT Incident Manager, Cisco Systems
<> Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
There are no insolvable problems.
The question is can you accept the solution?

Attachment: pgp8T4QEChngh.pgp
Description: PGP signature

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages