Cisco fixes remote access flaws in its Secure Access Control System
Vulnerabilities in network access control product could give attackers access to administrative functions
IDG News Service - Cisco Systems has released software updates for its Cisco Secure Access Control System (ACS) in order to patch three vulnerabilities that could give remote attackers administrative access to the platform and allow them to execute OS-level commands without authorization.
Cisco ACS is a server appliance that enforces access control policies for both wireless and wired network clients. It's managed through a Web-based user interface and supports the RADIUS (Remote Access Dial In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols.
Versions of the Cisco Secure ACS software older than 5.5 contain two vulnerabilities in the RMI (Remote Method Invocation) interface that's used for communication between different ACS deployments and listens on TCP ports 2020 and 2030.
One of the vulnerabilities, identified as CVE-2014-0648, stems from insufficient authentication and authorization enforcement and allows remote unauthenticated attackers to perform administrative actions on the system through the RMI interface.
The other vulnerability, identified as CVE-2014-0649, allows remote attackers with access to restricted user accounts to escalate their privileges and perform superadmin functions via the RMI interface.
A third vulnerability, tracked as CVE-2014-0650, was discovered in the system's Web-based interface and is the result of insufficient input validation. An unauthenticated remote attacker can exploit this vulnerability to inject and execute OS-level commands without shell access, Cisco said in a security advisory. This vulnerability affects Cisco Secure ACS software older than 5.4 patch 3.
There are no configuration workarounds available to mitigate these vulnerabilities, so updating the software to the new versions released by Cisco is recommended.
"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory," the company said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts