Cisco Secure Access Control System TACACS+ Authentication Bypass Vulnerability

2012-11-07T16:00:00
ID CISCO-SA-20121107-ACS
Type cisco
Reporter Cisco
Modified 2012-11-07T16:21:44

Description

Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass TACACS+ based authentication service offered by the affected product. The vulnerability is due to improper validation of the user-supplied password when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

An attacker may exploit this vulnerability by sending a special sequence of characters when prompted for the user password. The attacker would need to know a valid username stored in the LDAP external identity store to exploit this vulnerability, and the exploitation is limited to impersonate only that user. An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

Cisco has released software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121107-acs["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121107-acs"]

Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass the TACACS+ based authentication service offered by the affected product.

The vulnerability is due to improper validation of the user-supplied password when TACACS+ is as authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

An attacker could exploit this vulnerability by sending a special sequence of characters when prompted for the user password. The attacker would need to know a valid username stored in the LDAP external identity store in order to exploit this vulnerability, and the exploitation is limited to impersonate only that user. An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

Note: Only a Cisco Secure ACS that is configured for TACACS+ authentication and uses LDAP as the external identity store is vulnerable.

A Cisco Secure ACS used for authentication service in combination with other supported protocols, such as RADIUS, or TACACS+ used in combination with an internal identity store or other external stores (for example, RADIUS Identity Server, Active Directory, and RSA SecurID Token Server),

is not vulnerable.

Successful exploitation of this vulnerability could allow the attacker to bypass the authentication of any system that uses TACACS+ and relies on the authentication service provided by an affected Cisco Secure ACS. However, the attacker will not be able to gain unauthorized access to the management interface of the Cisco Secure ACS.