Date: Fri, 25 Aug 2006 17:23:28 -0700 (PDT)
From: Andreas Gal <gal@uci.edu.>
To: [email protected]Subject: Cisco NAC Appliance Agent Installation Bypass Vulnerability
Message-ID: <Pine.LNX.4.62.0608251720180.9882@sam.ics.uci.edu.>
X-GPG-FINGRPRINT: 9C09 A88B F2AC FEEA 778E 34A3 32BB 38E6 EED9 166B
X-GPG-PUBLIC_KEY: http://nil.ics.uci.edu/~gal/gal-pubkey.asc
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Virus-Scanned: antivirus-gw at tyumen.ru
Description:
Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed
Network Admission Control (NAC) product that uses the network
infrastructure to enforce security policy compliance on all devices
seeking to access network computing resources. With NAC Appliance, network
administrators can authenticate, authorize, evaluate, and remediate wired,
wireless, and remote users and their machines prior to network access. It
identifies whether networked devices such as laptops, IP phones, or game
consoles are compliant with your network's security policies and repairs
any vulnerabilities before permitting access to the network.
Vendor site:
http://www.cisco.com/en/US/products/ps6128/
Affected versions:
All current (<= 3.6.4.1 at the time of the release)
Discovery
Date: 2006-08-15
Report Date:
2006-08-20 (vendor), 2006-08-25 (public)
Severity:
Medium
Remote:
Yes
Related previous reports:
http://www.securityfocus.com/archive/1/408603/30/0/threaded
Discovered by:
Andreas Gal (http://www.andreasgal.com/)
Joachim Feise (http://www.feise.com/)
Vulnerability:
Previous versions of the software allowed users to bypass the "mandatory"
installation of the Clean Access Agent by changing the browser user-agent
string. With version 3.6.0, Cisco added additional detection mechanisms
such as TCP fingerprinting and JavaScript OS detection. By changing the
default parameters of the Windows TCP/IP stack and using a custom HTTPS
client (instead of a browser) the user can still connect to the network
without running any host-based checks. Authentication and remote checks
are not affected.
Proof-of-concept implementation:
http://kevin.sf.net/howto.html
http://kevin.sf.net/download/kevin.exe
http://kevin.sf.net/download/kevin.conf
http://kevin.cvs.sourceforge.net/kevin/
Acknowledgements:
The registry settings to masquerade the Windows TCP/IP stack were derived
from sec_cloak written by Craig Heffner.
