A vulnerability was reported in Cisco Secure Access Control System. A remote user can change the passwords of arbitrary users.
Cisco Secure ACS versions 5.1 patch 3, 4, and 5; 5.2; 5.2 patch 1 and 2
Cisco Secure ACS operates as a centralized RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control into a centralized identity networking solution.
A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store.
This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password.
The following versions are affected: A remote user can change the passwords of arbitrary users.
1. Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed.
2. Cisco Secure ACS version 5.2 without any patches installed.
3. Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed.
A remote user can exploit a flaw in the web-based management interface to change the password of an arbitrary user account to an arbitrary value. User accounts that are defined on the internal identity store are affected.
System administrator accounts for the Cisco Secure ACS server that have been configured through the web-based interface are not affected.
User accounts for the Cisco Secure ACS server that have been configured through the "username password " command are not affected.
The vendor has issued a fix:
1. Cisco Secure ACS version 5.1: File 5-1-0-44-6.tar.gpg - ACS 18.104.22.168 cumulative patch 6
2. Cisco Secure ACS version 5.2: File 5-2-0-26-3.tar.gpg - ACS 22.214.171.124 cumulative patch 3
Cisco Security Advisories
Cisco Download Software