Cisco Secure Access Control Server RAS/NAS Downloadable IP ACL Disclosure

2005-12-27T10:03:29
ID OSVDB:22193
Type osvdb
Reporter Oleg Tipisov()
Modified 2005-12-27T10:03:29

Description

Vulnerability Description

Cisco Secure ACS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when Downloadable IP Access Lists are configured for use by Cisco NAS/Ras devices, and the ACS creates a hidden user which can be sniffed and used by an attacker resulting in a loss of confidentiality.

Solution Description

Upgrade to version 4.01 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Cisco Secure ACS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when Downloadable IP Access Lists are configured for use by Cisco NAS/Ras devices, and the ACS creates a hidden user which can be sniffed and used by an attacker resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Secunia Advisory ID:18141 Other Advisory URL: http://www.securiteam.com/securitynews/6T00P1PEUQ.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0048.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-12/0269.html Keyword: FN - 61965 CVE-2005-4499 Bugtraq ID: 16025