Sep
5
2008
Security Advisory

Cisco Secure ACS EAP Parsing Vulnerability

Author An article by Fabio Semperboni    Comments No Comments
Very PoorPoorAverageGoodExcellent (No Ratings Yet)

A new Cisco ACS vulnerability is found by Gabriel Campana and Laurent Butti.
Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code.
The affected products are all versions of Cisco Secure ACS that support EAP.

A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable).

Details:
——–
* An EAP packet is as follows:

 

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Identity...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

* For example, the following packet will trigger the vulnerability
and crash CSRadius.exe:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | 0 | 0xdddd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | abcd
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 

More info on http://www.securityfocus.com/archive/1/495937/30/0/threaded

Cisco Response: http://www.cisco.com/warp/public/707/cisco-sr-20080903-csacs.shtml

Tags: , ,

Related Posts

About the Author: Fabio Semperboni

Leave a comment

CAPTCHA Image