Two workarounds for this vulnerability exist.
One workaround consists of enabling client validation within
CiscoSecure ACS for UNIX. A caveat to this workaround is that there are some
versions of CiscoSecure ACS for UNIX that are subject to another defect, which
prevents access to additional administration utilities (the Advanced
Administration GUI) within CiscoSecure ACS for UNIX when the client validation
feature is enabled. This problem is identified in CSCdm72555 which affects
versions 2.3.1 and 2.3.2, and CSCdk55423, which affects versions 2.2.2, 2.2.3
of CiscoSecure ACS for UNIX. This workaround will not be effective in
CiscoSecure ACS for UNIX version 2.2.2, 2.2.3, 2.3.1 and 2.3.2, and customers
are encouraged to upgrade to a version that does not include this defect.
Version 2.3.3 is currently available and is not susceptible to the above
You must edit the CSCconfig.ini file, list the permitted remote access
hosts, enable remote client validation. TACACS or RADIUS clients do NOT need to
be listed under this setting, only hosts that are permitted to administer the
server should be listed.
In the following example, 'acs_srv_machine' resolves to localhost, and
we are providing remote administration privileges to the hosts 'client_machine'
and the ip address 172.16.23.23. Permitted clients may be defined by a
hostname, or an ip address.
CSCconfig.ini file should be edited with the following information:
;if ValidateClients=true, than we only allow the clients with ids listed
; to connect to the dbserver
100 = acs_srv_machine
100 = client_machine
100 = 172.16.23.23
ValidateClients = true
An additional configuration parameter "FastAdminValidClients" was
added in CiscoSecure ACS version 2.3.3 allowing the Fast Administrator Web
based GUI to permit the same IP addresses specified in the valid clients list,
to further restrict client access.
A second workaround is to use filtering on other network devices, such
as a firewall, to control or block access to TCP port 9900 on the CiscoSecure
ACS for UNIX server.