Cisco Secure ACS for Windows and Solution Engine EAP-TLS bypass authentication

ciscosecure-eaptls-auth-bypass (17936) The risk level is classified as MediumMedium Risk

Description:

Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) could allow a remote attacker to bypass authentication and gain unauthorized access to the network. If Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocol is enabled, a remote attacker could use an expired or untrusted certificate to authenticate and gain unauthorized access, as long as the certificate has the correct format and contains valid fields (cryptographically correct).

Note: Cisco Secure ACS and Solution Engine are not affected by this vulnerability when the EAP-TLS protocol is configured to use the binary comparison method as the only method to compare certificates and if the user entry in Lightweight Directory Access Protocol/Active Directory (LDAP/AD) contains only valid certificates.


Consequences:

Bypass Security

Remedy:

Upgrade to the latest version of Cisco Secure ACS and Solution Engine (3.3.2 or later), as listed in Cisco Security Advisory 2004 November 2 1500 UTC (GMT).

References:

  • CIAC Information Bulletin P-028: Cisco Secure Access Control Server (ACS) EAP-TLS Authentication Vulnerability.
  • Cisco Security Advisory 2004 November 2 1500 UTC (GMT): Vulnerability in Cisco Secure Access Control Server EAP-TLS Authentication.
  • BID-11577: Cisco Secure Access Control Server Remote Authentication Bypass Vulnerability
  • CVE-2004-1099: Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) 3.3.1, when the EAP-TLS protocol is enabled, does not properly handle expired or untrusted certificates, which allows remote attackers to bypass authentication and gain unauthorized access via a cryptographically correct certificate with valid fields such as the username.

Platforms Affected:

  • Cisco Secure Access Control Server 3.3(1)
  • Cisco Secure Access Control Server Solution Engine 3.3.1
  • Cisco Secure ACS Solution Engine

Reported:

Nov 02, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page