Guest

Cisco Secure Access Control Server Solution Engine

Field Notice: *Expired* FN - 27615 - Cisco Secure Access Control Server (ACS) Solution Engine Version 3.2.1 Vulnerability and Mitigation Plan


Revised April 22, 2008
November 17, 2003


NOTICE:

THIS FIELD NOTICE HAS BEEN EXPIRED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Product

Top Assembly

Comments

Part Number

Rev.

CSACSE-1111-K9

800-24018-01

A0

Cisco Secure ACS Solution Engine version 3.2; includes Cisco 1111 hardware platform and Cisco Secure Access Control Server software, version 3.2

CSACSE-1111-UP-K9

800-24170-01

A0

Upgrade for customers using Cisco Secure ACS 3.X for Windows or Cisco Secure ACS for Unix customers to the Cisco Secure ACS Solution Engine version 3.2; includes Cisco 1111 hardware platform and Cisco Secure Access Control Server software, version 3.2

  

Problem Description

Cisco customers may be experiencing problems with Cisco Secure Access Control Server (ACS) Solution Engine version 3.2.1 due to recent worm attacks on the Internet. There are currently two worms that both exploit systems unpatched for Microsoft MS03-026, which are referred to as Blaster and Nachi. These worms exploit vulnerabilities previously disclosed by Microsoft, details of which can be found at the following URLs :

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp leavingcisco.com

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp leavingcisco.com

The effects of these worms on Cisco Secure ACS version 3.2.1 can be mitigated by blocking the required ports they use to spread themselves and scan for new infections. This bulletin focuses on the measures that are recommended to be taken by Cisco customers to clean there infected ACS Solution Engines as well as protect them against possible infection in the future.

Background

The following unattended User Datagram Protocol (UDP) ports on Cisco Secure ACS Solution Engine version 3.2.1 were exposed to the Blaster and Nachi worms:

  • UDP Port 135 - used by Microsoft RPC service

  • UDP Port 137 - used by NetBIOS Name Service

  • UDP Port 138 - used by NetBIOS Datagram

  • UDP Port 445 - used by the File and Printer Sharing for Microsoft Network and the Client for Microsoft Network services on the ACS Appliance.

Cisco Secure ACS Solution Engine Hotfix KB824146 will resolve this exposure by both applying the patch from Microsoft MS03-039, which supersedes patch MS03-026, and adds additional security measures for the underlying operating system by disabling UDP ports 137, 138, and 445. The Hotfix will as well uninstall the "File and Printer Sharing for Microsoft Network" and the "Client for Microsoft Network" services on the Cisco Secure ACS Solution Engine.

Note:The Hotfix will leave UDP port 135 open, which is required by the MS RPC service. However, Microsoft MS03-039 will prevent the Blaster and Nachi worms from infecting the ACS Solution Engine through this port.

Problem Symptoms

Affected customers have been experiencing unusually high volumes of traffic from both internal and external systems. Symptoms on the Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces. See also Cisco Security Notices :

Cisco Security Notice: W32.BLASTER Worm Mitigation Recommendations

Cisco Security Notice: Nachi Worm Mitigation Recommendations

Workaround/Solution

  1. Cisco Secure ACS Solution Engine NOT infected:

    Customers can download Cisco Secure ACS Solution Engine Hotfix KB824146

    To verify the existence of Cisco Secure ACS Solution Engine Hotfix KB824146 on your appliance, check the System Configuration menu, then select the Appliance Upgrade Status item.

    The instructions for upgrading or applying a hotfix to the Cisco Secure ACS Solution Engine are documented under Upgrading The Appliance on the Administering the Cisco Secure ACS Appliance page and they are included in the Readme.txt file that accompanies the KB824146 Hotfix.

    Cisco Secure ACS maintenance release 3.2.2 and later will include Cisco Secure ACS Solution Engine Hotfix KB824146. The target release date for 3.2.2 is December 29th, 2003.

  2. Cisco Secure ACS Solution Engine infected:

    1. Apply guilogon patch which can be obtained from Cisco TAC.

    2. Apply acs_hotfix_kb824146 patch from above.

    3. Download and run the virus removing tool like stinger from http://vil.nai.com/vil/averttools.asp#stinger leavingcisco.com

    4. Rollback guilogon patch.

    5. Reboot the appliance.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.