Cisco Secure Access Control Server vulnerable to a stack-based buffer overflow via a specially crafted "HTTP GET" request
2007-01-15T00:00:00
ID VU:744249 Type cert Reporter CERT Modified 2007-01-26T16:25:00
Description
Overview
A vulnerability in the web administrative server supplied with Cisco Secure ACS products could allow a remote attacker to execute arbitrary code on an affected system.
Description
Cisco Secure ACS is a Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) security server. It includes a component called CSAdmin that provides the web server for the ACS web administration interface.
A stack-based buffer overflow exists in the way that the CSAdmin server included with certain versions of Cisco Secure ACS handles specially crafted HTTP GET requests. A remote attacker with the ability to supply such a request may be able to execute arbitrary code in the context of the CSAdmin server on an affected system or cause the CSAdmin service to crash, resulting in the web administrative interface becoming unavailable.
Cisco states that versions of the Cisco Secure Access Control Server for Windows and Cisco Secure Access Control Server Solution Engine prior to 4.1 are affected by this issue. Cisco also states that if this vulnerability is successfully exploited, the CSAdmin service will require a manual restart of the service.
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code on an affected system or cause the CSAdmin service on that system to crash, resulting in a denial of service.
Solution
Upgrade
Cisco has published Cisco Security Advisory cisco-sa-20070105-csacs in response to this issue. Users of affected software are encouraged to review this advisory and upgrade their software accordingly.
Workarounds
In addition to updated versions of the software, Cisco has published several workarounds for this issue. Users, particularly those who are unable to upgrade their software, are encouraged to review the workarounds described in Cisco Security Advisory cisco-sa-20070105-csacs.
Vendor Information
744249
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Cisco Systems, Inc. __ Affected
Updated: January 15, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Cisco has published Cisco Security Advisory cisco-sa-20070105-csacs in response to this issue. Users of affected software are encouraged to review this advisory and upgrade their software accordingly.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |
This issue was publicly reported in Cisco Security Advisory cisco-sa-20070105-csacs.
This document was written by Chad R Dougherty.
Other Information
CVE IDs: | CVE-2007-0105
---|--- Severity Metric: | 21.38 Date Public: | 2007-01-08 Date First Published: | 2007-01-15 Date Last Updated: | 2007-01-26 16:25 UTC Document Revision: | 8
{"id": "VU:744249", "type": "cert", "bulletinFamily": "info", "title": "Cisco Secure Access Control Server vulnerable to a stack-based buffer overflow via a specially crafted \"HTTP GET\" request", "description": "### Overview \n\nA vulnerability in the web administrative server supplied with Cisco Secure ACS products could allow a remote attacker to execute arbitrary code on an affected system.\n\n### Description \n\nCisco Secure ACS is a Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) security server. It includes a component called CSAdmin that provides the web server for the ACS web administration interface.\n\nA stack-based buffer overflow exists in the way that the CSAdmin server included with certain versions of Cisco Secure ACS handles specially crafted HTTP GET requests. A remote attacker with the ability to supply such a request may be able to execute arbitrary code in the context of the CSAdmin server on an affected system or cause the CSAdmin service to crash, resulting in the web administrative interface becoming unavailable. \n \nCisco states that versions of the Cisco Secure Access Control Server for Windows and Cisco Secure Access Control Server Solution Engine prior to 4.1 are affected by this issue. Cisco also states that if this vulnerability is successfully exploited, the CSAdmin service will require a manual restart of the service. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code on an affected system or cause the CSAdmin service on that system to crash, resulting in a denial of service. \n \n--- \n \n### Solution \n\n**Upgrade** \n \nCisco has published [Cisco Security Advisory cisco-sa-20070105-csacs](<http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml>) in response to this issue. Users of affected software are encouraged to review this advisory and upgrade their software accordingly. \n \n--- \n \n**Workarounds**\n\n \nIn addition to updated versions of the software, Cisco has published several workarounds for this issue. Users, particularly those who are unable to upgrade their software, are encouraged to review the [workarounds](<http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml#workarounds>) described in [Cisco Security Advisory cisco-sa-20070105-csacs](<http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml>). \n \n--- \n \n### Vendor Information\n\n744249\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Cisco Systems, Inc. __ Affected\n\nUpdated: January 15, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nCisco has published [Cisco Security Advisory cisco-sa-20070105-csacs](<http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml>) in response to this issue. Users of affected software are encouraged to review this advisory and upgrade their software accordingly.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23744249 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://secunia.com/advisories/23629/>\n * <http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml>\n * <http://www.securityfocus.com/bid/21900>\n\n### Acknowledgements\n\nThis issue was publicly reported in Cisco Security Advisory cisco-sa-20070105-csacs.\n\nThis document was written by Chad R Dougherty.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0105](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-0105>) \n---|--- \n**Severity Metric:** | 21.38 \n**Date Public:** | 2007-01-08 \n**Date First Published:** | 2007-01-15 \n**Date Last Updated: ** | 2007-01-26 16:25 UTC \n**Document Revision: ** | 8 \n", "published": "2007-01-15T00:00:00", "modified": "2007-01-26T16:25:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.kb.cert.org/vuls/id/744249", "reporter": "CERT", "references": ["http://secunia.com/advisories/23629/", "http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml ", "http://www.securityfocus.com/bid/21900"], "cvelist": ["CVE-2007-0105"], "lastseen": "2020-09-18T20:42:54", "viewCount": 2, "enchantments": {"score": {"value": 7.9, "vector": "NONE", "modified": "2020-09-18T20:42:54", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0105"]}, {"type": "osvdb", "idList": ["OSVDB:32642"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7012"]}], "modified": "2020-09-18T20:42:54", "rev": 2}, "vulnersScore": 7.9}}
{"cve": [{"lastseen": "2020-12-09T19:26:03", "description": "Stack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request.", "edition": 5, "cvss3": {}, "published": "2007-01-09T00:28:00", "title": "CVE-2007-0105", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0105"], "modified": "2017-07-29T01:29:00", "cpe": ["cpe:/a:cisco:secure_access_control_server:4.0.1"], "id": "CVE-2007-0105", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0105", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cisco:secure_access_control_server:4.0.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-0105"], "description": "## Vulnerability Description\nA buffer overflow exists in Secure ACS. The CSAdmin service fails to validate HTTP GET requests resulting in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUsers of the 3.1 and 3.2 trains should contact the Cisco TAC for a fix.\n\nUsers of the 3.3 train should upgrade to version 3.3(4) Build 12, as it has been reported to fix this vulnerability.\n\nA patch is available for users of the 4.0 train.\n## Short Description\nA buffer overflow exists in Secure ACS. The CSAdmin service fails to validate HTTP GET requests resulting in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor Specific News/Changelog Entry: http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml\nSecurity Tracker: 1017475\n[Secunia Advisory ID:23629](https://secuniaresearch.flexerasoftware.com/advisories/23629/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0167.html\nISS X-Force ID: 31323\nFrSIRT Advisory: ADV-2007-0068\n[CVE-2007-0105](https://vulners.com/cve/CVE-2007-0105)\nCERT VU: 744249\nBugtraq ID: 21900\n", "edition": 1, "modified": "2007-01-05T07:49:00", "published": "2007-01-05T07:49:00", "href": "https://vulners.com/osvdb/OSVDB:32642", "id": "OSVDB:32642", "title": "Cisco Secure ACS Crafted HTTP GET Request Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-0105"], "description": "Buffer overflow and DoS on malformed RADIUS packet parsing, buffer overflow on malformed HTTP request.", "edition": 1, "modified": "2007-01-07T00:00:00", "published": "2007-01-07T00:00:00", "id": "SECURITYVULNS:VULN:7012", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7012", "title": "Cisco Secure ACS multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
