AV:R/AC:L/Au:NR/C:C/I:N/A:N/B:N/E:F/RL:W/RC:Uc
-
Cisco Secure Access Control Server for Unix implements the Acme.server and is therefore vulnerable to a directory traversal vulnerability. The fix has been included in ACS Unix version 2.3.6.1 which is currently available.
This vulnerability is detailed in Cisco Bug ID CSCdu47965.
This advisory is available at: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020702-acsunix-acmeweb.
-
This section provides details on affected products.
Vulnerable Products
The defects described in this document are present in releases beginning with version 2.0 up to and including version 2.3.6 of Cisco Secure ACS for Unix Server.
Products Confirmed Not Vulnerable
Cisco Secure ACS for Windows NT is not vulnerable to this issue. Cisco Access Registrar is not vulnerable to this issue.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
This vulnerability exists within the Acme.server program that is part of the Cisco Secure ACS Unix installation. This vulnerability has been repaired in the Acme.server utility. The patch is available for Cisco customers, and has now been incorporated into the Cisco Secure ACS Unix product.
The vulnerability is triggered when someone browses to the server URL and adds trailing slashes as in the following example: http://servername:9090///. This exploit will display the files and filesystem of the target server.
This vulnerability has been assigned Cisco bug ID CSCdu47965.
-
Workarounds for this vulnerability include general recommendations of protecting the Cisco Secure ACS for Unix with strong firewalls, access controls, and preventing any external or unauthenticated access to the system, and to port 9090 in particular. This is an interim workaround only, and a patch or upgrade is recommended.
For this issue, a patch is available which may be installed in place of an upgrade. The patch is available at the following temporary location:
ftp://ftpeng.cisco.com/ftp/csu/Acme-Patch.tar.Z
For any assistance with the patch, please contact the TAC. This patch fixes the security problem with the Acme.server. It includes the modified files provided by Acme. This patch can be applied for any supported version of Cisco Secure, that is, CiscoSecure/Unix 2.3(3) or later. The patch consists of one file: FastAdmin/Acme.zip.
Patch Installation Instructions
To install the patch, follow the instructions below. The commands need to be executed on your Cisco Secure ACS Unix by the administrator.
-
Stop Cisco Secure by entering the command:
/etc/rc0.d/K80CiscoSecure
-
Change to the base directory where Cisco Secure is installed.
cd $BASEDIR
-
Copy the compressed tar file Acme-Patch.tar.Z into the current
directory.
-
Uncompress and untar the file.
uncompress Acme-Patch.tar.Z tar xvf Acme-Patch.tar
-
Start Cisco Secure with the command:
/etc/rc2.d/S80CiscoSecure
-
Stop Cisco Secure by entering the command:
-
There is a patch available, and the fixes are included in Cisco Secure ACS Unix version 2.3.6.1 and all versions going forward. For existing versions, the patch may be applied, which resolves the issue. There is no need to upgrade to a newer version.
-
The issue with the Acme.server was posted to the Bugtraq list June 2001 , although no specific mention of the Cisco product was made in the original posting. Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.2
2002-July-24
Update to Affected Products section
Revision 1.1
2002-July-03
Update to Workarounds section
Revision 1.0
2002-July-02
Initial Public Release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.