The Cisco Product Security Incident Response Team (PSIRT) has published two important vulnerability advisories:
- Cisco Network Admission Control Guest Server System Software Authentication Bypass Vulnerability
- Cisco Secure Access Control System Unauthorized Password Change Vulnerability
Cisco Network Admission Control Guest Server System Software Authentication Bypass Vulnerability
Cisco Network Admission Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network.
Vulnerable Products
This vulnerability affects all versions of NAC Guest Server software prior to software version 2.0.3. The software version is displayed on the login page of the web server.
Details
The Cisco NAC Guest Server system software contains a vulnerability in the configuration file of the RADIUS authentication software. This misconfiguration may allow an unauthenticated user to access the protected network. This vulnerability may result in authentication bypass without requiring a valid username or password.
Impact
Successful exploitation of the vulnerability may allow unauthorized users to access the protected network.
Link: http://www.cisco.com/…/advisory09186a0080b74114.shtml
Cisco Secure Access Control System Unauthorized Password Change Vulnerability
A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password. Successful exploitation requires the user account to be defined on the internal identity store.
Vulnerable Products
The following Cisco Secure ACS versions are affected by this vulnerability:
- Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed
- Cisco Secure ACS version 5.2 without any patches installed
- Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed
Details
Cisco Secure ACS operates as a centralized RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control into a centralized identity networking solution.
A vulnerability exists in some Cisco Secure ACS versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password. Successful exploitation requires the user account to be defined on the internal identity store.
This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any user attributes except the user password.
Impact
Successful exploitation of this vulnerability could allow an attacker to change the password of any user account that is defined on the internal identity store. After the password has been changed, an attacker could use those credentials to impersonate the user. Because the user would not know the new password, the attacker could also prevent a user from authenticating.