Cisco Secure Access Control Server vulnerable to a stack-based buffer overflow via a specially crafted "HTTP GET" request

2007-01-15T00:00:00
ID VU:744249
Type cert
Reporter CERT
Modified 2007-01-26T16:25:00

Description

Overview

A vulnerability in the web administrative server supplied with Cisco Secure ACS products could allow a remote attacker to execute arbitrary code on an affected system.

Description

Cisco Secure ACS is a Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) security server. It includes a component called CSAdmin that provides the web server for the ACS web administration interface.

A stack-based buffer overflow exists in the way that the CSAdmin server included with certain versions of Cisco Secure ACS handles specially crafted HTTP GET requests. A remote attacker with the ability to supply such a request may be able to execute arbitrary code in the context of the CSAdmin server on an affected system or cause the CSAdmin service to crash, resulting in the web administrative interface becoming unavailable.

Cisco states that versions of the Cisco Secure Access Control Server for Windows and Cisco Secure Access Control Server Solution Engine prior to 4.1 are affected by this issue. Cisco also states that if this vulnerability is successfully exploited, the CSAdmin service will require a manual restart of the service.


Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on an affected system or cause the CSAdmin service on that system to crash, resulting in a denial of service.


Solution

Upgrade

Cisco has published Cisco Security Advisory cisco-sa-20070105-csacs in response to this issue. Users of affected software are encouraged to review this advisory and upgrade their software accordingly.


Workarounds

In addition to updated versions of the software, Cisco has published several workarounds for this issue. Users, particularly those who are unable to upgrade their software, are encouraged to review the workarounds described in Cisco Security Advisory cisco-sa-20070105-csacs.


Vendor Information

744249

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco Systems, Inc. __ Affected

Updated: January 15, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cisco has published Cisco Security Advisory cisco-sa-20070105-csacs in response to this issue. Users of affected software are encouraged to review this advisory and upgrade their software accordingly.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://secunia.com/advisories/23629/>
  • <http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml>
  • <http://www.securityfocus.com/bid/21900>

Acknowledgements

This issue was publicly reported in Cisco Security Advisory cisco-sa-20070105-csacs.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: | CVE-2007-0105
---|---
Severity Metric: | 21.38
Date Public: | 2007-01-08
Date First Published: | 2007-01-15
Date Last Updated: | 2007-01-26 16:25 UTC
Document Revision: | 8