You are here

T-592: Cisco Security Advisory: Cisco Secure Access Control System Unauthorized Password Change Vulnerability

March 31, 2011 - 5:05pm

Addthis

PROBLEM:

A vulnerability was reported in Cisco Secure Access Control System. A remote user can change the passwords of arbitrary users.

PLATFORM:

Cisco Secure ACS versions 5.1 patch 3, 4, and 5; 5.2; 5.2 patch 1 and 2

ABSTRACT:

Cisco Secure ACS operates as a centralized RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control into a centralized identity networking solution.

reference LINKS: 

Cisco Advisory ID:112913
SecurityTracker:1025271
CVE-2011-0951

IMPACT ASSESSMENT:

Medium
 

Discussion:

A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store.

This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password.

 

Impact:

The following versions are affected: A remote user can change the passwords of arbitrary users.
1. Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed.
2. Cisco Secure ACS version 5.2 without any patches installed.
3. Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed.

A remote user can exploit a flaw in the web-based management interface to change the password of an arbitrary user account to an arbitrary value. User accounts that are defined on the internal identity store are affected.
System administrator accounts for the Cisco Secure ACS server that have been configured through the web-based interface are not affected.
User accounts for the Cisco Secure ACS server that have been configured through the "username password " command are not affected.

Solution:

The vendor has issued a fix:

1. Cisco Secure ACS version 5.1: File 5-1-0-44-6.tar.gpg - ACS 5.1.0.44 cumulative patch 6
2. Cisco Secure ACS version 5.2: File 5-2-0-26-3.tar.gpg - ACS 5.2.0.26 cumulative patch 3
Cisco Security Advisories
Cisco Download Software

 

Addthis