A new Cisco ACS vulnerability is found by Gabriel Campana and Laurent Butti.
Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code.
The affected products are all versions of Cisco Secure ACS that support EAP.
A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable).
Details:
——–
* An EAP packet is as follows:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Identity... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * For example, the following packet will trigger the vulnerability and crash CSRadius.exe: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2 | 0 | 0xdddd | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | abcd +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
More info on http://www.securityfocus.com/archive/1/495937/30/0/threaded
Cisco Response: http://www.cisco.com…/cisco-sr-20080903-csacs.html