[ISN] Cisco warns of flaws in ACS product

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,10801,95514,00.html

By Paul Roberts
AUGUST 26, 2004
IDG NEWS SERVICE

Networking equipment maker Cisco Systems Inc. is warning customers
about security holes in two products that provide user authentication
and authorization services for network devices such as firewalls and
routers.

The company issued a security advisory yesterday identifying "multiple
denial-of-service- and authentication-related vulnerabilities" in two
products: the Cisco Secure Access Control Server for Windows (Windows
ACS) and Cisco Secure Access Control Server Solution Engine (Secure
ACS). The vulnerabilities could allow attackers or malicious users to
crash the ACS products or gain unauthorized access to network devices.

ACS products centralize user identity management for other Cisco
products and management applications, allowing administrators to
manage and enforce access policies that control who can log into a
network.

Cisco found that both the Secure ACS and ACS Windows products stopped
responding to new TCP connections after being flooded with TCP
connections on Port 2002. The DoS condition hampered the ability of
the ACS devices to process authentication requests and required the
ACS devices to be rebooted to restore authentication services, Cisco
said.

In other instances, Cisco found that, under certain circumstances
attackers that faked (or "spoofed") the network address of a computer
that is accessing the ACS administrative user interface could access
that interface without being asked to log in first, Cisco said.

Cisco released product upgrades for ACS Windows Versions 3.2 and 3.3
and for the ACS Solution Engine. The company recommended that
customers with service contracts obtain the updates using the Cisco
Product Upgrade Tool or by contacting Cisco's technical assistance
center.