BugTraq
SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure May 08 2006 06:29PM
research symantec com (1 replies)
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Symantec Vulnerability Research

https://www.symantec.com/research

Security Advisory

Advisory ID : SYMSA-2006-003

Advisory Title: Cisco Secure ACS for Windows - Administrator

Password Disclosure

Author : Andreas Junestam

Release Date : 05-08-2006

Application : Cisco Secure ACS 3.x for Windows

Platform : Microsoft Windows

Severity : System access / exploit available

Vendor status : Vendor verified, workaround available

CVE Number : CVE-2006-0561

Reference : http://www.securityfocus.com/bid/16743

Overview:

Cisco Secure ACS is a central administration platform for

Cisco network devices. It controls authentication and

authorization for enrolled devices. Administrative

passwords for locally-defined users are stored in such a

way they can be obtained from the Windows registry. If

remote registry access is enabled, this can be done over

the network.

If Cisco Secure ACS is configured to use an external

authentication service such as Windows Active Directory or

LDAP, the passwords for users stored by those services are

not vulnerable to this issue.

Details:

Cisco Secure ACS 3.x for Windows stores passwords for

administrative users in the registry. The passwords are

encrypted using the Crypto API Microsoft Base Cryptographic

Provider v1.0. Along with the passwords, ACS also stores

the key used to encrypt the information. This information

can easily be obtained locally by a Windows administrator,

and if remote registry access is enabled, it can be

obtained over the network. With this, the clear-text

passwords can be recovered by decrypting the information

in the registry with the supplied key. Access to these

passwords provides access to all Cisco devices controlled

by the ACS server.

Vendor Response:

Cisco Secure ACS 3.x for Windows stores the passwords of

ACS administrators in the Windows registry in an encrypted

format. A locally generated master key is used to

encrypt/decrypt the ACS administrator passwords. The master

key is also stored in the Windows registry in an encrypted

format. Using Microsoft cryptographic routines, it is

possible for a user with administrative privileges to a

system running Cisco Secure ACS to obtain the clear-text

version of the master key. With the master key, the user

can decrypt and obtain the clear-text passwords for all

ACS administrators. With administrative credentials to

Cisco Secure ACS, it is possible to change the password

for any locally defined users. This may be used to gain

access to network devices configured to use Cisco Secure

ACS for authentication.

If remote registry access is enabled on a system running

Cisco Secure ACS, it is possible for a user with

administrative privileges (typically domain administrators)

to exploit this vulnerability.

If Cisco Secure ACS is configured to use an external

authentication service such as Windows Active Directory /

Domains or LDAP, the passwords for users stored by those

services are not at risk to compromise via this

vulnerability.

This vulnerability only affects version 3.x of Cisco Secure

ACS for Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco

Secure ACS for UNIX are not vulnerable. Cisco Secure ACS 3.x

appliances do not permit local or remote Windows registry

access and are not vulnerable.

Workaround:

It is possible to mitigate this vulnerability by

restricting access to the registry key containing the

ACS administrators' passwords. One feature of Windows

operating systems is the ability to modify the permissions

of a registry key to remove access even for local or

domain administrators. Using this feature, the registry

key containing the ACS administrators' passwords can be

restricted to only the Windows users with a need to

maintain the ACS installation or operate the ACS services.

The following registry key and all of its sub-keys need to

be protected.

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators

Note: The "CiscoAAAv3.3" portion of the registry key path

may differ slightly depending on the version of Cisco Secure

ACS for Windows that is installed.

There are two general deployment scenarios for Cisco Secure

ACS. The Windows users that need permissions to the registry

key will depend on the deployment type.

* If Cisco Secure ACS is not installed on a Windows domain

controller, access to the registry key should be limited to

only the local Windows SYSTEM account and specific local /

domain administrators who will be performing software

maintenance on the ACS installation.

* If Cisco Secure ACS is installed on a Windows domain

controller, access to the registry key should be limited to

the domain account which ACS is configured to use for its

services, the local Windows SYSTEM account and specific

local / domain administrators who will be performing

software maintenance on the ACS installation.

For information about editing the Windows registry, please

consult the following Microsoft documentation.

"Description of the Microsoft Windows registry"

http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986

Further mitigation against remote exploitation can be

achieved by restricting access to authorized users or

disabling remote access to the Windows registry on systems

running Cisco Secure ACS for Windows. For information on

restricting remote registry access, please consult the

following Microsoft documentation.

"How to restrict access to the registry from a remote computer"

http://support.microsoft.com/kb/q153183

"How to Manage Remote Access to the Registry"

http://support.microsoft.com/kb/q314837

Recommendation:

Follow your organization's testing procedures before

applying patches or workarounds. See Cisco's instructions

on how to place an ACL on the Registry Key, and also how

to restrict remote access to the Windows registry.

These recommendations do not eliminate the vulnerability,

but provide some mitigation.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned

the following names to these issues. These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.

CVE-2006-0561

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:

research (at) symantec (dot) com [email concealed]

For details on Symantec's Vulnerability Reporting Policy:

http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive:

http://www.symantec.com/research/

Symantec Vulnerability Research PGP Key:

http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:

secure (at) symantec (dot) com [email concealed]

For general information on Symantec's Product Vulnerability

reporting and response:

http://www.symantec.com/security/

Symantec Product Advisory Archive:

http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:

http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.a
sc

- ---------------------------------------------------------------

Copyright (c) 2006 by Symantec Corp.

Permission to redistribute this alert electronically is granted

as long as it is not edited in any way unless authorized by

Symantec Consulting Services. Reprinting the whole or part of

this alert in any medium other than electronically requires

permission from cs_advisories (at) symantec (dot) com. [email concealed]

Disclaimer

The information in the advisory is believed to be accurate at the

time of publishing based on currently available information. Use

of the information constitutes acceptance for use in an AS IS

condition. There are no warranties with regard to this information.

Neither the author nor the publisher accepts any liability for any

direct, indirect, or consequential loss or damage arising from use

of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are

registered trademarks of Symantec Corp. and/or affiliated companies

in the United States and other countries. All other registered and

unregistered trademarks represented in this document are the sole

property of their respective companies/owners.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe

vKVo3Si7ycswRs/2kiA997I=

=dkX3

-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus