Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: b06-2088.htm

Cisco Secure ACS for Windows - Administrator Password Disclosure



SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure
SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
=0D
=0D
=0D
                    Symantec Vulnerability Research                                   =0D
https://www.symantec.com/research=0D 
                          Security Advisory=0D
=0D
Advisory ID   : SYMSA-2006-003=0D
Advisory Title: Cisco Secure ACS for Windows - Administrator =0D
                Password Disclosure=0D
Author        : Andreas Junestam=0D
Release Date  : 05-08-2006=0D
Application   : Cisco Secure ACS 3.x for Windows=0D
Platform      : Microsoft Windows=0D
Severity      : System access / exploit available =0D
Vendor status : Vendor verified, workaround available=0D
CVE Number    : CVE-2006-0561=0D
Reference : http://www.securityfocus.com/bid/16743=0D 
=0D
=0D
Overview: =0D
=0D
	Cisco Secure ACS is a central administration platform for =0D
	Cisco network devices. It controls authentication and =0D
	authorization for enrolled devices. Administrative =0D
	passwords for locally-defined users are stored in such a =0D
	way they can be obtained from the Windows registry. If =0D
	remote registry access is enabled, this can be done over =0D
	the network.=0D
=0D
	If Cisco Secure ACS is configured to use an external =0D
	authentication service such as Windows Active Directory or=0D
	LDAP, the passwords for users stored by those services are=0D
	not vulnerable to this issue.=0D
=0D
=0D
Details: =0D
=0D
	Cisco Secure ACS 3.x for Windows stores passwords for =0D
	administrative users in the registry. The passwords are =0D
	encrypted using the Crypto API Microsoft Base Cryptographic =0D
	Provider v1.0. Along with the passwords, ACS also stores =0D
	the key used to encrypt the information. This information =0D
	can easily be obtained locally by a Windows administrator, =0D
	and if remote registry access is enabled, it can be =0D
	obtained over the network. With this, the clear-text =0D
	passwords can be recovered by decrypting the information =0D
	in the registry with the supplied key. Access to these =0D
	passwords provides access to all Cisco devices controlled =0D
	by the ACS server.=0D
=0D
=0D
Vendor Response:=0D
=0D
=0D
	Cisco Secure ACS 3.x for Windows stores the passwords of =0D
	ACS administrators in the Windows registry in an encrypted =0D
	format. A locally generated master key is used to =0D
	encrypt/decrypt the ACS administrator passwords. The master=0D
	key is also stored in the Windows registry in an encrypted =0D
	format. Using Microsoft cryptographic routines, it is =0D
	possible for a user with administrative privileges to a =0D
	system running Cisco Secure ACS to obtain the clear-text =0D
	version of the master key. With the master key, the user =0D
	can decrypt and obtain the clear-text passwords for all =0D
	ACS administrators. With administrative credentials to =0D
	Cisco Secure ACS, it is possible to change the password =0D
	for any locally defined users. This may be used to gain =0D
	access to network devices configured to use Cisco Secure =0D
	ACS for authentication.=0D
=0D
	If remote registry access is enabled on a system running =0D
	Cisco Secure ACS, it is possible for a user with=0D
	administrative privileges (typically domain administrators) =0D
	to exploit this vulnerability.=0D
=0D
	If Cisco Secure ACS is configured to use an external =0D
	authentication service such as Windows Active Directory / =0D
	Domains or LDAP, the passwords for users stored by those =0D
	services are not at risk to compromise via this =0D
	vulnerability.=0D
=0D
	This vulnerability only affects version 3.x of Cisco Secure =0D
	ACS for Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco =0D
	Secure ACS for UNIX are not vulnerable. Cisco Secure ACS 3.x =0D
	appliances do not permit local or remote Windows registry =0D
	access and are not vulnerable.=0D
     =0D
Workaround:=0D
=0D
	It is possible to mitigate this vulnerability by =0D
	restricting access to the registry key containing the =0D
	ACS administrators' passwords. One feature of Windows =0D
	operating systems is the ability to modify the permissions =0D
	of a registry key to remove access even for local or =0D
	domain administrators. Using this feature, the registry =0D
	key containing the ACS administrators' passwords can be =0D
	restricted to only the Windows users with a need to =0D
	maintain the ACS installation or operate the ACS services.=0D
=0D
	The following registry key and all of its sub-keys need to =0D
	be protected.=0D
=0D
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators=0D
=0D
	Note: The "CiscoAAAv3.3" portion of the registry key path=0D
	may differ slightly depending on the version of Cisco Secure=0D
	ACS for Windows that is installed.=0D
=0D
	There are two general deployment scenarios for Cisco Secure=0D
	ACS. The Windows users that need permissions to the registry=0D
	key will depend on the deployment type.=0D
=0D
	* If Cisco Secure ACS is not installed on a Windows domain =0D
	controller, access to the registry key should be limited to=0D
	only the local Windows SYSTEM account and specific local / =0D
	domain administrators who will be performing software =0D
	maintenance on the ACS installation. =0D
	=0D
	* If Cisco Secure ACS is installed on a Windows domain =0D
	controller, access to the registry key should be limited to =0D
	the domain account which ACS is configured to use for its =0D
	services, the local Windows SYSTEM account and specific =0D
	local / domain administrators who will be performing =0D
	software maintenance on the ACS installation.=0D
=0D
	For information about editing the Windows registry, please =0D
	consult the following Microsoft documentation.=0D
=0D
	"Description of the Microsoft Windows registry"=0D
=0D
http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986=0D 
=0D
	Further mitigation against remote exploitation can be =0D
	achieved by restricting access to authorized users or =0D
	disabling remote access to the Windows registry on systems=0D
	running Cisco Secure ACS for Windows. For information on=0D
	restricting remote registry access, please consult the=0D
	following Microsoft documentation.=0D
=0D
	"How to restrict access to the registry from a remote computer"=0D
=0D
http://support.microsoft.com/kb/q153183=0D 
=0D
	"How to Manage Remote Access to the Registry"=0D
=0D
http://support.microsoft.com/kb/q314837=0D 
	=0D
Recommendation:=0D
	=0D
	Follow your organization's testing procedures before =0D
	applying patches or workarounds.  See Cisco's instructions=0D
	on how to place an ACL on the Registry Key, and also how =0D
	to restrict remote access to the Windows registry.=0D
=0D
	These recommendations do not eliminate the vulnerability, =0D
	but provide some mitigation.=0D
=0D
=0D
Common Vulnerabilities and Exposures (CVE) Information:=0D
=0D
The Common Vulnerabilities and Exposures (CVE) project has assigned =0D
the following names to these issues.  These are candidates for =0D
inclusion in the CVE list (http://cve.mitre.org), which standardizes =0D 
names for security problems.=0D
=0D
=0D
	CVE-2006-0561=0D
=0D
- -------Symantec Vulnerability Research Advisory Information-------=0D
=0D
For questions about this advisory, or to report an error:=0D
research@symantec.com=0D 
=0D
For details on Symantec's Vulnerability Reporting Policy: =0D
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf=0D 
=0D
Symantec Vulnerability Research Advisory Archive: =0D
http://www.symantec.com/research/ =0D 
=0D
Symantec Vulnerability Research PGP Key:=0D
http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc=0D 
=0D
- -------------Symantec Product Advisory Information-------------=0D
=0D
To Report a Security Vulnerability in a Symantec Product:=0D
secure@symantec.com =0D 
=0D
For general information on Symantec's Product Vulnerability =0D
reporting and response:=0D
http://www.symantec.com/security/=0D 
=0D
Symantec Product Advisory Archive: =0D
http://www.symantec.com/avcenter/security/SymantecAdvisories.html=0D 
=0D
Symantec Product Advisory PGP Key:=0D
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc=0D 
=0D
- ---------------------------------------------------------------=0D
=0D
Copyright (c) 2006 by Symantec Corp.=0D
Permission to redistribute this alert electronically is granted =0D
as long as it is not edited in any way unless authorized by =0D
Symantec Consulting Services. Reprinting the whole or part of =0D
this alert in any medium other than electronically requires =0D
permission from cs_advisories@symantec.com.=0D 
=0D
Disclaimer=0D
The information in the advisory is believed to be accurate at the =0D
time of publishing based on currently available information. Use =0D
of the information constitutes acceptance for use in an AS IS =0D
condition. There are no warranties with regard to this information. =0D
Neither the author nor the publisher accepts any liability for any =0D
direct, indirect, or consequential loss or damage arising from use =0D
of, or reliance on, this information.=0D
=0D
Symantec, Symantec products, and Symantec Consulting Services are =0D
registered trademarks of Symantec Corp. and/or affiliated companies =0D
in the United States and other countries. All other registered and =0D
unregistered trademarks represented in this document are the sole =0D
property of their respective companies/owners.=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.2.2 (GNU/Linux)=0D
=0D
iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe=0D
vKVo3Si7ycswRs/2kiA997I==0D
=dkX3=0D
-----END PGP SIGNATURE-----=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH