[NEWS] Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS

support_at_securiteam.com
Date: 04/26/03

  • Next message: support_at_securiteam.com: "[TOOL] LKL, Linux Key Logger" 
    To: list@securiteam.com
Date: 26 Apr 2003 20:18:21 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco
    Secure ACS
    ------------------------------------------------------------------------

    SUMMARY

    Cisco Secure ACS for Windows is vulnerable to a buffer overflow on the
    administration service that runs on TCP port 2002. Exploitation of this
    vulnerability results in a Denial of Service, and can potentially result
    in system administrator access. Cisco is providing repaired software, and
    customers are recommended to install patches or upgrade at their earliest
    opportunity. Workarounds can be implemented, and consist of blocking
    external access to port 2002 on the ACS.

    DETAILS

    Affected system:
     * Cisco Secure ACS 2.6.4 for Windows and earlier
     * Cisco Secure ACS 3.0.3 for Windows and earlier
     * Cisco Secure ACS 3.1.1 for Windows and earlier

    Cisco Secure Access Control Server(ACS) is a high-performance, highly
    scalable, centralized user access control framework. It supports
    centralized access and audit for dial access server, VPN and firewall, and
    IP voice(VoIP) solutions, as well as user based on standard IEEE 802.1x
    for wireless users of Cisco Aironet 350 wireless integration solution.

    The management of Cisco Secure ACS is implemented via web interface. Cisco
    Secure ACS will install a service known as "CSAdmin" (the corresponding
    program of which is CSAdmin.exe) on the system. Once the service is
    enabled, it listens on TCP/2002 port and accepts HTTP request.

    A buffer overflow vulnerability occurs during CSAdmin.exe handling
    login.exe request. Receiving the login request CSAdmin.exe will call
    wsprintfA to handle the user parameter without any length check on the
    parameter. If attackers send an extremely long user parameter to the
    server, they might cause a buffer overflow, resulting in service hanging
    or restarting. With carefully crafted data attacker could run arbitrary
    code with CSAdmin process privilege (typically LocalSystem) on the server.

    Workaround:
    Block access to the port TCP/2002 of the host running Cisco Secure ACS
    from untrusted IPs on the firewall.

    Software Versions and Fixes:
    Fixes to the CSAdmin will be included in ACS for Windows versions 3.0.4,
    3.1.2, and later, which will become available on the Cisco website. Patch
    files for 2.6.4, 3.0.3, and 3.1.1 are currently available on the Cisco
    website. Customers running versions earlier than 2.6.4, 3.0.3, or 3.1.1
    will need to upgrade to those versions to apply the patch files.

    The patch files that resolve this problem for specific versions are as
    follows:

     * ACS 3.1(1) - CSAdmin-Patch-3.1-1-27.zip
     * ACS 3.0(3) - CSAdmin-Patch-3.0-3-6.zip
     * ACS 2.6 - CSAdmin-patch-2.6-4-4.zip

    Customers that are logged into the Cisco website can download these files
    at: <http://www.cisco.com/cgi-bin/tablebuild.pl/cs-acs-win>
    http://www.cisco.com/cgi-bin/tablebuild.pl/cs-acs-win.

    Vendor Status:
    2003-03-16 Informed the vendor.
    2003-03-23 The vendor confirmed the vulnerability.
    2003-04-23 The vendor released an advisory and patches for this issue.

    Cisco Bug ID: CSCea51366

    The Cisco advisory is available at:
    <http://www.cisco.com/warp/public/707/cisco-sa-20030423-ACS.shtml>
    http://www.cisco.com/warp/public/707/cisco-sa-20030423-ACS.shtml

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@nsfocus.com>
    NSFOCUS Security Team and <mailto:psirt@cisco.com> Cisco Systems Product
    Security Incident Response Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support_at_securiteam.com: "[TOOL] LKL, Linux Key Logger"

    Relevant Pages