COMMAND

    Cisco

SYSTEMS AFFECTED

    CiscoSecure ACS for Windows NT Server

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.   Multiple
    vulnerabilities have been identified and fixed in CiscoSecure  ACS
    for Windows NT Server:

    * The CSAdmin software module can be forced to crash by sending it
      an oversized  URL. This  defect is  documented as  Cisco bug  ID
      CSCdr68286.
    * CiscoSecure  ACS for  Windows NT  Server can  be placed  into an
      unstable state by sending it an oversized TACACS+ packet.   This
      defect is documented as Cisco bug ID CSCdr51286.
    * The  enable  password  can  be  bypassed  to  gain  unauthorized
      privileges  on  a  router  or  switch  when  CiscoSecure ACS for
      Windows NT  Server is  used in  conjunction with  an LDAP server
      that  allows  users  to  have  null  passwords.   This defect is
      documented as Cisco bug ID CSCdr26113.

    All releases of CiscoSecure ACS for Windows NT Server up to and
    including 2.1(x), 2.3(3), and 2.4(2) are vulnerable.

    CSCdr68286
    ==========
    A  buffer  overflow  condition  within  the  CSAdmin module can be
    exploited  by  sending  an  oversized  packet  to TCP port 2002 of
    CiscoSecure ACS  Server for  Windows NT.   Depending on  the exact
    version of the underlying NT operating system, it may be  possible
    to force the  execution of inserted  code or to  temporarily crash
    the  module.   Any   existing  administrative  sessions  will   be
    terminated when  a crash  occurs, which  may lead  to the  loss of
    recent administrative  actions.   In versions  2.3(x) and  higher,
    the CSAdmin module is  restarted automatically within one  minute.
    Existing sessions are  re-established at that  time, but the  must
    be  authenticated  again  as  though  they  have  started from the
    beginning.   In earlier  versions, the  server must  be restarted.
    This vulnerability can be triggered without any authentication  at
    all, although authentication is normally required for all expected
    activities.

    This defect  can be  exercised repeatedly  to create  a denial  of
    service attack,  thus affecting  the availability  of the  server.
    Depending  on  specific  Windows  NT  installation  details,  this
    defect can allow the unauthorized execution of arbitrary commands.
    This can  be exploited  to gain  access to  or modify data without
    appropriate   authorization,   thus    possibly   violating    the
    confidentiality or integrity of the server.

    CSCdr51286
    ==========
    By  sending  an  oversized  TACACS+  packet to CiscoSecure ACS for
    Windows  NT  Server  it  is  possible  to place the system into an
    unstable  condition  that  may  lead  to  a denial of service.  In
    order to  exploit this  vulnerability, the  attacker must  be able
    to  sniff  or  inject  traffic  into  the path between the TACACS+
    client and CiscoSecure ACS for Windows NT Server.

    This defect  may be  exercised repeatedly  to create  a denial  of
    service attack, thus affecting the availability of the system.

    CSCdr26113
    ==========
    Some Lightweight  Directory Access  Protocol (LDAP)  servers allow
    users  to  have  a  password  that  is undefined, meaning that the
    value of  the stored  password is  null.   An interaction  between
    such  an  LDAP  server  and  this  defect  may  allow  enable-mode
    authentication  to  succeed  without  specifying  a valid password
    for that privileged mode.

    If  an  LDAP  server  that  allows  null  passwords  is  in use as
    described  previously,  then  this  defect  can  be  exploited  to
    escalate privileges on a network device without authorization.

SOLUTION

    These  defects  are  fixed  in  release  2.4(3) and all subsequent
    releases.  Free upgrades are offered to all affected customers  as
    shown  below.   In  lieu  of  an  upgrade, several workarounds are
    available that might minimize the threat imposed by these defects.
    CiscoSecure ACS for UNIX is not affected by these vulnerabilities.

    Customers that are using  any version earlier than  release 2.4(3)
    should  upgrade  to  2.4.(3)  or  higher.   Cisco is offering free
    software upgrades to eliminate this vulnerability for all affected
    customers.

    The following workarounds will assist in mitigating threats due to
    these  vulnerabilities,  but   cannot  completely  eliminate   the
    potential for successful exploitation  of the defects.   Customers
    with  affected  systems  are  strongly  recommended  to upgrade to
    unaffected, fixed  versions of  the software  as listed previously
    in this security advisory.  In lieu of upgrading the software, the
    following steps may help minimize the risk:

    CSCdr68286
    ==========
    To protect the CSAdmin module from oversized URLs, limit access to
    the CiscoSecure ACS server so that only computers with  legitimate
    need can reach it  via the network.   This can be accomplished  by
    placing  an  Access  Control  List  (ACL)  on a router between the
    CiscoSecure ACS server and the  remainder of the network.   In the
    following example, the  CiscoSecure ACS server  has an IP  address
    of  1.1.1.1  and  is  attached  to  the  Ethernet0 interface of an
    adjacent router.  The terminal  server has an address of  2.2.2.2.
    Access between the terminal server and the CiscoSecure ACS  server
    can be  prevented by  entering config  mode from  enable mode  and
    using  commands  similar   to  the  following   partial  list   of
    instructions  to  create  an  ACL  and  apply  it  to the router's
    Ethernet0 interface:

        access-list 200 permit ip host 2.2.2.2 host 1.1.1.1 eq 49
        access-list 200 deny any any log

        interface Ethernet0
        ip access-group 200 incoming

    CSCdr51286
    ==========
    The  CiscoSecure  ACS  server  can  be protected from receiving an
    oversized TACACS+ packet by applying an ACL on an adjacent  router
    as shown above, or by  implementing access controls on a  firewall
    device that considers the ACS to be part of its protected network.

    An  additional  method  is  to  ensure  that a trusted path exists
    between the CiscoSecure ACS for Windows NT Server and the  devices
    that are using it.  This is a prudent measure to prevent  sniffing
    or injection of packets along that path.

    CSCdr26113
    ==========
    Unauthorized enable access due to  this defect can be thwarted  by
    storing the enable  password directly on  the CiscoSecure ACS  for
    Windows NT Server itself rather than on the remote LDAP server.