COMMAND

    CiscoSecure ACS

SYSTEMS AFFECTED

    CiscoSecure ACS for UNIX up to 2.3.2

PROBLEM

    Following  is  based  on  Cisco  Security  Notice.  In CiscoSecure
    Access Control  Server (CiscoSecure  ACS) for  UNIX, versions  1.0
    through  2.3.2,  there  is  a  database access protocol that could
    permit  unauthorized  remote  users  to  read and write the server
    database  without  authentication.    Depending  on  the   network
    environment, this  might permit  unauthorized users  to modify the
    access policies enforced by the  CiscoSecure ACS.  A utility  that
    is capable of using this protocol to read or modify a database  is
    shipped with the CiscoSecure ACS product.

    If you  are running  an affected  version of  CiscoSecure ACS  for
    UNIX, and if you have  not modified the configuration to  strictly
    permit connections from trusted hosts, and if untrusted users  can
    make TCP  connections to  TCP port  9900 on  the computer on which
    you  have  installed  CiscoSecure  ACS,  then  you are vulnerable.
    Users of CiscoSecure ACS for Windows NT are not vulnerable.

    The impact  may vary,  depending whether  potential attackers have
    access  to  port  9900  on  the  CiscoSecure  ACS  computer.  This
    vulnerability  could  allow  an  attacker  to remove accounts, add
    accounts and change passwords or privileges in the user  database,
    including implementing an administrative account, that would  give
    them control of  the CiscoSecure ACS  server.  This  vulnerability
    has been assigned Cisco bug ID CSCdm71489.

SOLUTION

    This applies ONLY to CiscoSecure  ACS for UNIX, and is  present in
    all versions, up to version  2.3.2.  Version 2.3.3 of  CiscoSecure
    ACS for UNIX has been modified to validate administrative  clients
    by  default.   This  vulnerability  applies  only  to the software
    product CiscoSecure Access Control  Server for UNIX, and  does not
    apply  to  CiscoSecure  Access  Control  Server  for  NT.   As the
    software  fix  consists  of  changing  default  behavior,  and  is
    equivalent to the recommended  workarounds, a software upgrade  is
    not required to address this  vulnerability.  However, if you  are
    running  one  of  the  releases  affected by defects CSCdk55423 or
    CSCdm72555, as listed in  the Workarounds section in  this notice,
    and  these   defects  prevent   you  from   working  around   this
    vulnerability,  a  software  upgrade  is  necessary,  and  will be
    provided, regardless of  contract status.   If you have  a service
    contract, please download the new software from Cisco's  Worldwide
    Web site at  http://www.cisco.com.  If  you do not  have a service
    contract,  please  call  the  Cisco  TAC  at  one of the telephone
    numbers listed in the "Cisco Security Procedures" section of  this
    notice.   Give  the  URL  of  this  notice  as  evidence  of  your
    entitlement to an upgrade.

    Two  workarounds  for  this  vulnerability  exist.  One workaround
    consists of enabling client validation within CiscoSecure ACS  for
    UNIX.  A caveat to this workaround is that there are some versions
    of CiscoSecure ACS  for UNIX that  are subject to  another defect,
    which prevents access to additional administration utilities  (the
    Advanced Administration GUI) within CiscoSecure ACS for UNIX  when
    the  client  validation  feature  is  enabled.   This  problem  is
    identified in CSCdm72555 which  affects versions 2.3.1 and  2.3.2,
    and CSCdk55423, which affects versions 2.2.2, 2.2.3 of CiscoSecure
    ACS  for  UNIX.   This   workaround  will  not  be  effective   in
    CiscoSecure ACS for  UNIX version 2.2.2,  2.2.3, 2.3.1 and  2.3.2,
    and customers are encouraged to upgrade to a version that does not
    include this defect.  Version 2.3.3 is currently available and  is
    not susceptible to the above problem.

    You must edit  the CSCconfig.ini file,  list the permitted  remote
    access hosts, enable remote  client validation.  TACACS  or RADIUS
    clients do NOT  need to be  listed under this  setting, only hosts
    that  are  permitted  to  administer  the server should be listed.
    In  the   following  example,    'acs_srv_machine'   resolves   to
    localhost, and we  are providing remote  administration privileges
    to the  hosts 'client_machine'  and the  ip address  172.16.23.23.
    Permitted clients may be defined by a hostname, or an ip  address.
    CSCconfig.ini   file   should   be   edited   with  the  following
    information:

        [ValidClients]

        ;if ValidateClients=true, than we only allow the clients with ids listed

        ; to connect to the dbserver

        100 = acs_srv_machine

        100 = client_machine

        100 = 172.16.23.23

        ValidateClients = true

        ...

    An additional configuration parameter "FastAdminValidClients"  was
    added  in  CiscoSecure  ACS   version  2.3.3  allowing  the   Fast
    Administrator  Web  based  GUI  to  permit  the  same IP addresses
    specified in the  valid clients list,  to further restrict  client
    access.

    A second workaround is to use filtering on other network  devices,
    such as a firewall,  to control or block  access to TCP port  9900
    on the CiscoSecure ACS for UNIX server.