Cisco warns over pair of network flaws

Cisco Systems has issued an advisory about two serious software vulnerabilities in one of its network access control products, Cisco NAC Appliance, also known as Cisco Clean Access (CCA).

Cisco NAC Appliance, which checks external devices attempting to log on to a company network are compliant with security policy, contains two flaws that an attacker could use to gain control of the devices, or compromise sensitive information including passwords.

The NAC Appliance includes software that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access a network. Clean Access consists of two applications that work in tandem: Clean Access Manager (CAM) and Clean Access Server (CAS).

For the CAM to authenticate to the CAS, each holds a "shared secret" - pieces of information which, when combined, allow authentication to occur. It appears, though, that this system is flawed in older versions of the software.

According to the Cisco advisory, the vulnerability - called "unchangeable shared secret" - means the shared secret cannot be properly set or changed during setup. This also means the shared secret will be the same across all affected devices, which drastically reduces its cryptographic effectiveness.

To exploit this vulnerability the adversary must first be able to establish a TCP connection to the CAS.

Successful exploitation of the unchangeable shared secret vulnerability may enable a malicious user to take administrative control of a CAS. After that, every aspect of CAS can be changed including its configuration and setup, said Cisco.

Versions affected by this vulnerability are CCA releases 3.6.x to 3.6.4.2 and releases 4.0.x to 4.0.3.2.

Releases that contain the fix for this vulnerability are 3.6.4.3, 4.0.4 and 4.1.0. All subsequent releases already contain a fix.

An alternative is to install patch Patch-CSCsg24153.tar.gz which is available from Cisco's website.

The second vulnerability, called "readable snapshots", means that manual back-ups of the database - or "snapshots" - taken on the CAM are susceptible to brute force download attacks. A malicious user can guess the file name and download it without authentication. The file itself is not encrypted or otherwise protected.

The snapshot contains sensitive information that can aid in attacks on the CAS, or can be used to compromise the CAM. Among other things, the snapshot can contain passwords in cleartext.

Versions affected by the readable snapshots vulnerability are CCA releases 3.5.x to 3.5.9 and releases 3.6.x to 3.6.1.1.

Releases that contain the fix for this vulnerability are 3.5.10 and 3.6.2. All subsequent releases will contain the fix, said Cisco.

No patch is available for the readable snapshots vulnerability but a workaround is possible by removing snapshot files from the device shortly after they are created. If the snapshot file needs to be preserved then it can be moved to a different computer or archived on a secondary storage, said Cisco. Alternatively, the snapshot file can be deleted from the device.

There are currently no known exploits for either vulnerability.

Tom Espiner writes for ZDNet UK