RE: Cisco Clean Access Agent (Perfigo) bypass

["Dario Ciccarone (dciccaro)" <dciccaro () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This is in response to the email posted by 'llhansen-bugtraq () adams edu' 
on August 19, 2005. 

The original email is available at
http://www.securityfocus.com/archive/1/408603/30/0/threaded .

Attached: a cleartext, PGP signed version of this same email.

Hi llhansen,
While it is correct that a user can modify the 'User-Agent' string
on access to the CCA Server authentication page in order to prevent
installation of the CCA Agent, there are some things that should be
clarified:

1) Users cannot bypass authentication irrespective of the value of
the 'User-Agent' string provided. Hence, there is no danger of 
invalid users (users with no credentials or invalid credentials) 
getting onto the network. 

2) If there is the suspicion that a malicious user might try to 
masquerade as non-Windows machines, e.g. Linux, in order to bypass 
CCA Agent installation, the administrator can define Network Scanning 
rules on the CCA Manager and use Nessus scans to determine the real 
OS in use. This will catch users that are masquerading. For this, the 
CCA administrator can either obtain the appropiate plug-ins from 
Tenable or www.nessus.org - as an alternative, users can write and 
integrate their own plugins.

3) Furthermore, if the malicious user installs a personal firewall or
similar software, in order to make the network scan timeout, CCA 
provides options to quarantine the malicious user if the network scan
times out.  Hence, such users can also get quarantined, following which 
administrators can determine whether the user is masquerading or not. 

CCA continues to evolve and include safeguards to prevent malicious 
users from trying to bypass the checks in place.

Thank you for your work on this problem. As always, working with the
Cisco PSIRT team is the best way to verify the accuracy of information 
before posting it publicly.

We do greatly appreciate the opportunity to work with researchers on 
security vulnerabilities, and welcome the opportunity to review and
assist with Product Security Advisories.  Our ultimate goal is to ensure

that customers have accurate information on which to base upgrade and
workaround decisions and we welcome partnership with researchers 
towards that goal.

Thanks,
Dario

Quidquid latine dictum sit, altum viditur

Dario Ciccarone
CCIE #10395 
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
dciccaro () cisco com
 

> -----Original Message-----
> From: llhansen-bugtraq () adams edu [mailto:llhansen-bugtraq () adams edu] 
> Sent: Friday, August 19, 2005 12:30 PM
> To: bugtraq () securityfocus com
> Subject: Cisco Clean Access Agent (Perfigo) bypass
>
> Description: 
> Cisco Clean Access is an easily deployed software solution 
> that can automatically detect, isolate, and clean infected or 
> vulnerable devices that attempt to access your network. It 
> identifies whether networked devices such as laptops, 
> personal digital assistants, even game consoles are compliant 
> with your network's security policies and repairs any 
> vulnerabilities before permitting access to the network. 
>
> Vendor site:
> http://www.cisco.com/en/US/products/ps6128/
>
> Affected versions: 
> This works in at least 3.5.3.1 and 3.5.4.
>
> Discovery Date: 
> 2005-08-12
>
> Report Date: 
> 2005-08-19
>
> Severity:
> Medium
>
> Vulnerability: 
> End users can bypass the "mandatory" installation of the 
> Clean Access Agent by changing the User-Agent string of their 
> browser. This allows them to connect to the network without 
> the host-based checks being run. If configured, remote checks 
> are still run.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQwni8IyVGB+6GuDwEQIruwCdF/lpHQCavH7KKNtYk2RGLycAyPkAoN1W
J9PSv19tU6lDJB39nR1Hiteg
=FrBo
-----END PGP SIGNATURE-----

Attachment: cisco-bugtraq-cca-final.txt.asc
Description: cisco-bugtraq-cca-final.txt.asc