-
Cisco Clean Access (CCA) is a software solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network.
CCA includes as part of the architecture an Application Program Interface (API). Lack of authentication while invoking API methods can allow an attacker to bypass security posture checking, change the assigned role for a user, disconnect users and can also lead to information disclosure on configured users.
Cisco has made free software patches available to address this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20050817-cca.
-
This section provides details on affected products.
Vulnerable Products
-
CCA releases 3.3.0 to 3.3.9
-
CCA releases 3.4.0 to 3.4.5
-
CCA releases 3.5.0 to 3.5.3
Products Confirmed Not Vulnerable
The following products are confirmed not vulnerable:
-
Any CCA release previous to 3.3.0
-
CCA release 3.5.4 or later
No other Cisco products are currently known to be affected by these vulnerabilities.
-
CCA releases 3.3.0 to 3.3.9
-
The CCA solution comprises three main components:
-
One or more CCA Servers
-
A CCA Manager
-
Optional CCA Agents
Customers configure the solution using a Web-based interface on the CCA Manager and the CCA Manager distributes that configuration to the CCA Servers.
As part of the solution, the CCA Manager offers a documented way to access the CCA Manager API using the Hypertext Transfer Protocol (HTTP) over TLS (HTTPS) protocol. The API provides methods to allow customer-written scripts to do the following:
-
Modify the list of clean machines
-
Change user roles
-
Get user information
-
Query a given user login time
-
Modify timeout values for established user sessions
-
Perform some additional functions
A complete list of methods that can be invoked in this way can be found in the CCA Manager Installation and Administration Guide, page 13-21, available at http://www.cisco.com/en/US/products/ps6128/products_user_guide_list.html
An attacker with access to the network where the CCA Manager is located can use a custom script to invoke the API without being required to provide authentication credentials.
This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCsb48572 ( registered customers only)
-
One or more CCA Servers
-
The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.
No specific workaround has been identified for this vulnerability. However, this vulnerability can be mitigated by restricting access to the CCA Manager to known, trusted IP addresses. A sample access-list would be as follows (Note: ACL entries have been wrapped for easier reading) :
access-list 101 permit tcp <management network address> <management network mask> \ host <CCA Manager server address> eq 443 access-list 101 permit tcp host <management host> \ host <CCA Manager server address> eq 443 access-list 101 deny tcp any host <CCA Manager server address> eq 443 access-list 101 permit ip any any interface type/number ip access-group 101 in
Refer to the SAFE Security Blueprint for Enterprise Networks (available at http://www.cisco.com/go/safe) for additional information about how to secure your network management infrastructure.
-
When considering software upgrades, please also consult http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance.
Cisco has developed a software fix for this vulnerability for all affected versions. Once the fix is applied to a CCA Manager running an affected release, any attempt to access the API by a custom script will be authenticated against the user database.
In order to get the fix, customers should access the CCA software patches download page. The fix consists of two files:
-
Patch-CSCsb48572.tar.gz - this file contains the fix for all affected
software versions. It will determine at runtime the CCA software version in use
and apply the appropriate fix.
-
Readme-Patch-CSCsb48572.txt - this file contains instructions on how
to apply the fix to a vulnerable CCA Manager server.
-
Patch-CSCsb48572.tar.gz - this file contains the fix for all affected
software versions. It will determine at runtime the CCA software version in use
and apply the appropriate fix.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Cisco would like to thank Troy Holder from the North Carolina State University for bringing this to our attention.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.