Cisco NAC Appliance Agent Installation Bypass Vulnerability Aug 26 2006 12:23AM
Andreas Gal (gal uci edu) (2 replies)
Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability Aug 26 2006 08:31PM
Eloy Paris (elparis cisco com) (1 replies)
Hash: SHA1


On Fri, Aug 25, 2006 at 08:23:28PM -0400, Andreas Gal wrote:


> Vulnerability:
> Previous versions of the software allowed users to bypass the "mandatory"
> installation of the Clean Access Agent by changing the browser user-agent
> string. With version 3.6.0, Cisco added additional detection mechanisms
> such as TCP fingerprinting and JavaScript OS detection. By changing the
> default parameters of the Windows TCP/IP stack and using a custom HTTPS
> client (instead of a browser) the user can still connect to the network
> without running any host-based checks. Authentication and remote checks
> are not affected.


This is the Cisco PSIRT response to the above statements made by Andreas
Gal and Joachim Feise in their advisory entitled "NAC agent installation
bypass", which was posted to the Bugtraq and full-disclosure mailing

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information

The goal of the attack described in the advisory is to bypass the
Operating System (OS) detection mechanisms available in the NAC
(Network Admission Control ) appliance software, in order to prevent
the mandatory installation of the Cisco Clean Access (CCA) Agent. If
the CCA Agent is not installed, machines that do not comply with the
configured software policies will not be automatically patched/upgraded
or quarantined on initial access to the network.

While it is possible to bypass the mandatory agent installation by
following the steps in the advisory, it should be noted that:

1) Users cannot bypass authentication using the approach described in
the advisory. Accordingly, unauthorized users (i.e., users with no
credentials or invalid credentials) will not be able to gain access to
the network using such approach.

2) If an administrator is concerned that users might attempt to
bypass CCA Agent installation by masquerading a Windows machine as a
non-Windows machine (e.g., Linux, MacOSX, etc.), the administrator can
define Network Scanning rules on the CCA Manager and use network scans
to perform additional OS-specific checks. This process should detect
users attempting to masquerade their Windows machines as non-Windows

Additional information on how to configure Network Scanning rules can be
found in the Tech Note entitled Clean Access - Use the Network Scanning
Feature to Detect Users Who Attempt to Bypass Agent Checks.

3) If a malicious user installs a personal firewall or similar software
for the purpose of making the network scan time out, CCA provides
options to quarantine such malicious users. Following such quarantine,
administrators can then determine if users are attempting to masquerade
their OS. Alternatively, network administrators can ask users to
configure their personal firewalls to allow any traffic sourced from
the Clean Access Server (CAS) IP address, so that it can successfully
perform network scans.

4) Customers can also manually install either the CCA Agent software
or the CCA Agent Installation stub (available in CCA version 4.0.0 and
above) on end-user Windows machines, instead of using the OS detection
routines. This will completely prevent the agent installation bypass
described in the advisory from Andreas Gal and Joachim Feise.

This response will also be posted to


Eloy Paris.-
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
Version: GnuPG v1.4.5 (GNU/Linux)


[ reply ]
Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability Aug 29 2006 10:20PM
Joe Feise (jfeise feise com)
Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability Aug 26 2006 07:24PM
Udo Sprotte (USprotte web de)


Privacy Statement
Copyright 2010, SecurityFocus