[ISN] Cisco warns of flaws in ACS product

InfoSec News isn at c4i.org
Fri Aug 27 06:12:16 EDT 2004


By Paul Roberts
AUGUST 26, 2004

Networking equipment maker Cisco Systems Inc. is warning customers
about security holes in two products that provide user authentication
and authorization services for network devices such as firewalls and

The company issued a security advisory yesterday identifying "multiple
denial-of-service- and authentication-related vulnerabilities" in two
products: the Cisco Secure Access Control Server for Windows (Windows
ACS) and Cisco Secure Access Control Server Solution Engine (Secure
ACS). The vulnerabilities could allow attackers or malicious users to
crash the ACS products or gain unauthorized access to network devices.

ACS products centralize user identity management for other Cisco
products and management applications, allowing administrators to
manage and enforce access policies that control who can log into a

Cisco found that both the Secure ACS and ACS Windows products stopped
responding to new TCP connections after being flooded with TCP
connections on Port 2002. The DoS condition hampered the ability of
the ACS devices to process authentication requests and required the
ACS devices to be rebooted to restore authentication services, Cisco

In other instances, Cisco found that, under certain circumstances
attackers that faked (or "spoofed") the network address of a computer
that is accessing the ACS administrative user interface could access
that interface without being asked to log in first, Cisco said.

Cisco released product upgrades for ACS Windows Versions 3.2 and 3.3
and for the ACS Solution Engine. The company recommended that
customers with service contracts obtain the updates using the Cisco
Product Upgrade Tool or by contacting Cisco's technical assistance

More information about the ISN mailing list