From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 8 Jan 2007 13:35:58 +0200
Subject: [NEWS] Multiple Vulnerabilities in Cisco Clean Access
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070108133748.F0524582D@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in Cisco Clean Access
------------------------------------------------------------------------
SUMMARY
Cisco Clean Access (CCA) is a software solution that can automatically
detect, isolate, and clean infected or vulnerable devices that attempt to
access your network. It consists of Cisco Clean Access Manager (CAM) and
Cisco Clean Access Server (CAS) devices that work in tandem.
DETAILS
Vulnerable Products:
The following software releases are vulnerable.
Unchangeable Shared Secret
* CCA releases 3.6.x - 3.6.4.2
* CCA releases 4.0.x - 4.0.3.2
Readable Snapshots
* CCA releases 3.5.x - 3.5.9
* CCA releases 3.6.x - 3.6.1.1
Unchangeable Shared Secret
In order for Cisco Clean Access Manager (CAM) to authenticate to a Cisco
Clean Access Server (CAS), both CAM and CAS must have the same shared
secret. The shared secret is configured during the initial CAM and CAS
setup. Due to this vulnerability the shared secret can not be properly set
nor be changed, and it will be the same across all affected devices. In
order to exploit this vulnerability the adversary must be able to
establish a TCP connection to CAS.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg24153>;
CSCsg24153 ( registered customers only) .
Readable Snapshots
Manual backups of the database ('snapshots') taken on CAM are susceptible
to brute force download attacks. A malicious user can guess the file name
and download it without authentication. The file itself is not encrypted
or otherwise protected.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd48626>;
CSCsd48626 ( registered customers only) .
Impact
Unchangeable Shared Secret
Successful exploitation of the vulnerability may enable a malicious user
to effectively take administrative control of a CAS. After that, every
aspect of CAS can be changed including its configuration and setup.
Readable Snapshots
The snapshot contains sensitive information that can aide in the attempts,
or be used to compromise the CAM. Among other things, the snapshot can
contain passwords in cleartext. Starting with the release 3.6.0, passwords
are no longer stored in cleartext in the snapshot files.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070103-CleanAccess.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070103-CleanAccess.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
