Cisco Security Notice: CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability

[psirt () CISCO COM (Cisco Product Security Incident Response Team)]

-----BEGIN PGP SIGNED MESSAGE-----

CiscoSecure Access Control Server for UNIX Remote Administration
Vulnerability

Revision 1.0

For public release Thursday, 1999 August 19, at 08:00AM US/Pacific (UTC-0700)
=============================================================================

Summary
=======
In CiscoSecure Access Control Server (CiscoSecure ACS) for UNIX, versions
1.0 through 2.3.2, there is a database access protocol that could permit
unauthorized remote users to read and write the server database without
authentication. Depending on the network environment, this might permit
unauthorized users to modify the access policies enforced by the
CiscoSecure ACS.  A utility that is capable of using this protocol to read
or modify a database is shipped with the CiscoSecure ACS product.

This vulnerability can be eliminated by either a CiscoSecure configuration
change, or network configuration change. Cisco has provided a new release
that changed a default setting, in order to ensure higher default security
level.

This vulnerability has Cisco bug ID CSCdm71489.

Who Is Affected
===============
If you are running an affected version of CiscoSecure ACS for UNIX, and if
you have not modified the configuration to strictly permit connections from
trusted hosts, and if untrusted users can make TCP connections to TCP port
9900 on the computer on which you have installed CiscoSecure ACS, then you
are vulnerable.

Users of CiscoSecure ACS for Windows NT are not vulnerable.

Impact
======
The impact may vary, depending whether potential attackers have access to
port 9900 on the CiscoSecure ACS computer.  This vulnerability could allow
an attacker to remove accounts, add accounts and change passwords or
privileges in the user database, including implementing an administrative
account, that would give them control of the CiscoSecure ACS server.

Customers who may have been vulnerable to attack are advised to review
privileged accounts, and any suspicious database changes.

Details
=======
This vulnerability has been assigned Cisco bug ID CSCdm71489.

Affected and Repaired Software Versions
=======================================
This applies ONLY to CiscoSecure ACS for UNIX, and is present in all
versions, up to version 2.3.2.  Version 2.3.3 of CiscoSecure ACS for UNIX
has been modified to validate administrative clients by default.

This vulnerability applies only to the software product CiscoSecure Access
Control Server for UNIX, and does not apply to CiscoSecure Access Control
Server for NT.

Getting Fixed Software
======================
As the software fix consists of changing default behavior, and is
equivalent to the recommended workarounds, a software upgrade is not
required to address this vulnerability.  However, if you are running one of
the releases affected by defects CSCdk55423 or CSCdm72555, as listed in the
Workarounds section in this notice, and these defects prevent you from
working around this vulnerability, a software upgrade is necessary, and
will be provided, regardless of contract status.

If you have a service contract, please download the new software from
Cisco's Worldwide Web site at http://www.cisco.com.  If you do not have a
service contract, please call the Cisco TAC at one of the telephone numbers
listed in the "Cisco Security Procedures" section of this notice. Give the
URL of this notice as evidence of your entitlement to an upgrade.

Workarounds
===========
Two workarounds for this vulnerability exist.

One workaround consists of enabling client validation within CiscoSecure
ACS for UNIX.  A caveat to this workaround is that there are some versions
of CiscoSecure ACS for UNIX that are subject to another defect,  which
prevents access to additional administration utilities (the Advanced
Administration GUI) within CiscoSecure ACS for UNIX when the client
validation feature is enabled. This problem is identified in CSCdm72555
which affects versions 2.3.1 and 2.3.2, and CSCdk55423, which affects
versions 2.2.2, 2.2.3 of CiscoSecure ACS for UNIX.  This workaround will
not be effective in CiscoSecure ACS for UNIX version 2.2.2, 2.2.3, 2.3.1
and 2.3.2, and customers are encouraged to upgrade to a version that does
not include this defect.  Version 2.3.3 is currently available and is not
susceptible to the above problem.

You must edit the CSCconfig.ini file, list the permitted remote access
hosts, enable remote client validation.  TACACS or RADIUS clients do NOT
need to be listed under this setting, only hosts that are permitted to
administer the server should be listed.

In the following example,  'acs_srv_machine' resolves to localhost, and we
are providing remote administration privileges to the hosts
'client_machine' and the ip address 172.16.23.23.  Permitted clients may be
defined by a hostname, or an ip address.

CSCconfig.ini file should be edited with the following information:

     [ValidClients]

      ;if ValidateClients=true, than we only allow the clients with ids listed

      ; to connect to the dbserver

      100 = acs_srv_machine

      100 = client_machine

      100 = 172.16.23.23

      ValidateClients = true

      ...

An additional configuration parameter "FastAdminValidClients" was added in
CiscoSecure ACS version 2.3.3 allowing the Fast Administrator Web based GUI
to permit the same IP addresses specified in the valid clients list, to
further restrict client access.

A second workaround is to use filtering on other network devices, such as a
firewall, to control or block access to TCP port 9900 on the CiscoSecure
ACS for UNIX server.

Exploitation and Public Announcements
=====================================
Cisco does not have any reports of malicious use of this vulnerability.
CiscoSecure ACS for UNIX Reference Guide does include a cautionary note
regarding this vulnerability.

Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.

Distribution
============
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/csecure-dbaccess.shtml. In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:

   * cust-security-announce () cisco com
   * bugtraq () netspace org
   * first-teams () first org (includes CERT/CC)
   * cisco () spot colorado edu
   * comp.dcom.sys.cisco
   * first-info () first org
   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.

Revision History
================
 Revision 1.0, 08:00 AM US/Pacific     Initial public
 19-AUGUST-99                          release.

Cisco Security Procedures
=========================

Cisco's Worldwide Web site contains complete information for reporting
security vulnerabilities in Cisco products, obtaining assistance with
security incidents, and registering to receive security information
directly from Cisco at
http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.

  ------------------------------------------------------------------------

This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the notice,
provided that redistributed copies are complete and unmodified, including
all date and version information.

  ------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBN7via3LSeEveylnrAQFVnwgAkij5Ap3JcgBDzK5L01rdYjVLmaVAaJjU
AA7NZhPm1+2DOhixSA5WMGoXKWqTP+0tK0IBnAsbuNt1wKXPgL1f1WKvLdZiy806
ay/XYoFDYHg6oAwYioRoZ4yU4btSSHMwLCXx2nKsBc12zwyXAWmvfSMVTc+UXigm
fm1kA4JP5UY5Nt3QsWuwpC6gb6XKtpGvAqccT5GtDai+CdtpKafZSsdM7qfupdy0
tvWzTXwIcAEMw3VTAsJ95pGUDT425jqNEbHPSTfRX5elgl1ahcGSM5FAjs3PdzMS
UWAa9kX7+uzY6OOD92Lr57/HbPfBkuNJ9SoagN4AefK+AUFCnmrImw==
=t3gQ
-----END PGP SIGNATURE-----