Guest

Cisco Secure Access Control Server for Windows

Field Notice: FN - 61965 - CS ACS for Windows Downloadable IP Access Control List Vulnerability


Revised April 13, 2006

December 27, 2005

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

VPN3000

-

CVPN3002

-

FWSM

-

PIX

6.3

ACS - 3.0WN2K

-

ACS - 3.1WN2K

-

ACS - 3.2WN2K

-

ACS - 3.3WN2K

Application and Appliance

ASA - 7.0

7.0(1)

Problem Description

The Downloadable IP Access Control List (ACL) feature found in Cisco Secure Access Control Server (CS ACS) for Windows versions 3.0 through 3.3.3 may allow an unauthorized user to gain network access through a Remote Access Server or Network Access Server (RAS/NAS).

This issue has been resolved in CS ACS Version 4.0.1 as well as PIX version 6.3(5), PIX/ASA 7.0(2), Cisco IOS® Software Version 12.3(8)T4 and VPN 3000 versions 4.0.5.B and 4.1.5.B. FWSM is under investigation and while not resolved, there is a workaround to mitigate the issue. The software fix has rendered the newer version of CS ACS incompatible with the earlier version of the RAS/NAS software. Customers utilizing Downloadable IP ACLs who upgrade ACS to versions 4.0.1 or later must also upgrade any RAS/NAS device software at the same time in order to resolve this issue.

If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected.

Background

CS ACS Server for Windows version 3.0 introduced the Downloadable PIX ACL feature which allows for user-specific ACLs to be downloaded to a PIX Firewall. CS ACS Server for Windows version 3.2 broadened the supported range of RAS/NAS devices to include IOS routers as well as VPN 3000 concentrators and the feature was renamed to Downloadable IP ACL.

Communication between the RAS/NAS device and ACS server takes place using the standard RADIUS (PAP) protocol in a manner very similar to typical RADIUS user authentication. The ACL name to be downloaded is placed in the "User-Name" RADIUS attribute but otherwise the request appears to be a typical user authentication request. When the ACS server receives the request and determines that the "User-Name" is one of its configured downloadable IP ACLs it responds with the ACL content in an "Access-Accept" RADIUS packet.

If a malicious attacker knows the name of a Downloadable IP ACL configured on the ACS server they may use the name of that ACL as their user name when prompted to provide credentials by a RAS/NAS. When the ACS server receives the authentication request from the RAS/NAS it believes that it is a request to recieve the specified ACL (rather than a user authentication request) and responds with a typical RADIUS "Access-Accept" message in addition to the ACL. When the RAS/NAS receives this response it interprets it to be permission to access the network and grants the attacker access.

This vulnerability is very unlikely to be exploited for several reasons in the ACS 3.3.3 code and has been resolved in the 4.0.1 code. However, in order to implement this fix the behavior of downloadable ACLs was changed and other software had to be updated to work with this change.

Learning the Downloadable IP ACL names is very difficult:

There are three potential sources where the attacker might find out the names of existing downloadable ACLs.

  1. Sniff the RADIUS traffic between the RAS/NAS and ACS server. This means that the attacker must have access to the network traffic between the RAS/NAS and ACS server.

  2. Browse the ACS server configuration. For this the attacker must be an ACS administrator with read privileges or have otherwise compromised the ACS server. Also, a Downloadable IP ACL name shown on the ACS user interface is different from the "User-name" sent by the device. The attacker also must understand the how the time stamp is built as well as the exact server machine time at which the ACL was last edited in order to properly determine the exact "User-name" to be used.

  3. Browse the RAS/NAS server configuration. Run the show run or similar command on RAS/NAS device in enabled mode to determine the names of all downloadable ACLs in use. Similar to the above condition, the attacker must be a RAS/NAS administrator with read priviliages or have otherwise compromised the RAS/NAS server.

The Downloadable IP ACL names changes dynamically:

  1. Editing the Downloadable IP ACLs on the ACS server even if no change is made will result in a new ACL name being generated.

  2. Re-starting the CSRadius (ACS) service will purge the cache of all downloadable ACL names and force all ACLs to be renamed.

Problem Symptoms

If appropriate levels of AAA logging are enabled on the RAS/NAS devices and/or ACS server then the use of Downloadable IP ACL names as user names may be clearly identified. AAA log entries for the RAS/NAS device as well as "passed authentication" log entries on the ACS server would indicate that a user with a username based on a Downloadable IP ACL requested and was granted network access.

Note: The user name utilized by the Downloadable IP ACL feature contains more characters than the name used for the ACL in the ACS management screen. It is preceeded by an ACS ACL identifier string and followed by date and time stamp information. For example, a Downloadable IP ACL created on the ACS Server with the name "IP-test" will result in a user name such as "#ACSACL#-IP-test-40d050cd". AAA logs containing passed authenticaion entries with user names formatted like this are a clear indication that this issue has been exploited.

Below is a sample ACS "passed authentication" log with one entry showing a Downloadable IP ACL user authentication in .csv format:

Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,NAS-Port,NAS-IP-Address 
02/08/2005,15:56:17,Authen OK,#ACSACL#-IP-test-40d050cd,Default Group,,,192.168.254.252

If the ACS server is upgraded to SW version 4.0.1 or later before the RAS/NAS devices are upgraded as well, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software first. In either case, normal RADIUS user authentication will not be affected.

Workaround/Solution

For VPN3000, FWSM, PIX, and ASA RADIUS, access-lists using the Cisco AV Pair can be used instead of Cisco downloadable IP access-lists. This Workaround is detailed under the specific product DDTS's.

For IOS, The only workaround is to disable the Downloadable IP ACL feature. This will prevent the ACS from authorizing users with names equivalent to Downloadable IP ACLs. RADIUS access-lists using the Cisco AV pair are not a workaround for this issue.

If the ACS server is upgraded to SW version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected.

The solution is to upgrade both the ACS server as well as all RAS/NAS devices to the software releases that include the fix. In the newer software releases, the Downloadable IP ACL RADIUS requests have been modified so that they may be distinguished from normal user authentication requests.

If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected. There is also a patch available for 3.3.3 users that can be obtained by contacting Cisco TAC and requesting the 3.3.3 ACS patch for Downloadable ACLs.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCin79018 (registered customers only)

IOS: Potential ACL vulnerability in downloadable ACL functionality integrated in 12.3(08)T04 and 12.3(10.02)T

CSCsc89235 (registered customers only)

FWSM - Add support for new RADIUS VSA to mitigate downloadable ACL issue

CSCeh22447 (registered customers only)

ASA - Add support for new RADIUS VSA to mitigate downloadable ACL issue

CSCee92021 (registered customers only)

VPN 3000: Fix needed for Downloadable ACL security fix w/ ACS integrated in 04.7(00) REL 04.0(05)B 04.1(05)B

CSCef21184 (registered customers only)

PIX: Add support for new RADIUS VSA to mitigate downloadable ACL issue. Integrated in 7.0.4

Revision History

Revision

Date

Comment

1.1

13-APR-2006

Added patch info

Revision 1.0

27-Dec-2005

Initial public release.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.