07:36 PM

Researcher Reports Flaw In Cisco Secure Access Control Server

Secure ACS, software that combines authentication, access, and policy controls, includes a hole that could enable attackers to gain administrative access to the Web-based interface used to manage network devices, the researcher says.

A vulnerability has been discovered in Cisco's Secure Access Control Server (ACS), a key part of Cisco's trust and identity management framework and one of the cornerstones of the vendor's Network Admission Control (NAC) initiative.

Secure ACS, an identity networking solution that simplifies user management by combining authentication, user and administrator access, and policy control, includes a flaw that could enable attackers to gain administrative access to the Web-based interface used to manage network devices, according to independent security researcher Darren Bounds, who revealed the flaw in a post to the Full Disclosure security mailing list last week.

Secure ACS is essentially the hub of Cisco's NAC framework and it relies heavily on the ability of the user and endpoints to authenticate against a central directory, Bounds said. "Ultimately, compromising Secure ACS grants you administrative access to any devices that the server is responsible for authenticating," said Bounds.

The flaw is "fairly trivial" to exploit because the information to exploit it can be easily acquired and may already exist in some circumstances, Bounds said. For example, many companies handle access to the Secure ACS through a proxy, which means all clients have the same IP address, he noted.

To exploit the flaw, attackers also need to find out which dynamic port is being leveraged by the ACS server for administration purposes, and that information is easy to predict because the current implementation of Secure ACS uses automatic port allocation, Bounds said.

"It's very easy to determine if an administrator is logged in to determine what port they're using," Bounds said. And because there are only about 65,000 port combinations, attackers could also just run through all the ports to find the one they need, he added.

To mitigate the threat, Chris Labatt-Simon, president and CEO of D&D Consulting, an Albany, N.Y.-based solution provider, recommends that companies use more security on their boxes and not allow access to Secure ACS from proxy servers. "We're advising our customers to restrict the number of IP addresses that have access to the box and to sign in and out as quickly as possible, which will minimize the window of exposure," said Labatt-Simon.

Symantec, in an advisory sent to customers of its DeepSight Threat Management System Monday, recommended blocking external access at the network boundary and adding an extra layer of authentication, such as a VPN, to all network communications involving Secure ACS.

In a statement issued June 23, Cisco's Product Security Incident Response Team (PSRIT) said it is investigating the vulnerability.

Updated June 27 at 6:15 PM EDT.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.