what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SYMSA-2006-003.txt

SYMSA-2006-003.txt
Posted May 17, 2006
Authored by Andreas Junestam | Site symantec.com

Symantec Vulnerability Research SYMSA-2006-003 - Cisco Secure ACS 3.x for Windows stores passwords for administrative users in the registry. The passwords are encrypted using the Crypto API Microsoft Base Cryptographic Provider version 1.0. Along with the passwords, ACS also stores the key used to encrypt the information.

tags | advisory, cryptography, registry
systems | cisco, windows
advisories | CVE-2006-0561
SHA-256 | b304fda49e4522962451e9d0ea78704e0db872b7bbf32470161e1c81ea12df57

SYMSA-2006-003.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Symantec Vulnerability Research
https://www.symantec.com/research
Security Advisory

Advisory ID : SYMSA-2006-003
Advisory Title: Cisco Secure ACS for Windows - Administrator
Password Disclosure
Author : Andreas Junestam
Release Date : 05-08-2006
Application : Cisco Secure ACS 3.x for Windows
Platform : Microsoft Windows
Severity : System access / exploit available
Vendor status : Vendor verified, workaround available
CVE Number : CVE-2006-0561
Reference : http://www.securityfocus.com/bid/16743


Overview:

Cisco Secure ACS is a central administration platform for
Cisco network devices. It controls authentication and
authorization for enrolled devices. Administrative
passwords for locally-defined users are stored in such a
way they can be obtained from the Windows registry. If
remote registry access is enabled, this can be done over
the network.

If Cisco Secure ACS is configured to use an external
authentication service such as Windows Active Directory or
LDAP, the passwords for users stored by those services are
not vulnerable to this issue.


Details:

Cisco Secure ACS 3.x for Windows stores passwords for
administrative users in the registry. The passwords are
encrypted using the Crypto API Microsoft Base Cryptographic
Provider v1.0. Along with the passwords, ACS also stores
the key used to encrypt the information. This information
can easily be obtained locally by a Windows administrator,
and if remote registry access is enabled, it can be
obtained over the network. With this, the clear-text
passwords can be recovered by decrypting the information
in the registry with the supplied key. Access to these
passwords provides access to all Cisco devices controlled
by the ACS server.


Vendor Response:


Cisco Secure ACS 3.x for Windows stores the passwords of
ACS administrators in the Windows registry in an encrypted
format. A locally generated master key is used to
encrypt/decrypt the ACS administrator passwords. The master
key is also stored in the Windows registry in an encrypted
format. Using Microsoft cryptographic routines, it is
possible for a user with administrative privileges to a
system running Cisco Secure ACS to obtain the clear-text
version of the master key. With the master key, the user
can decrypt and obtain the clear-text passwords for all
ACS administrators. With administrative credentials to
Cisco Secure ACS, it is possible to change the password
for any locally defined users. This may be used to gain
access to network devices configured to use Cisco Secure
ACS for authentication.

If remote registry access is enabled on a system running
Cisco Secure ACS, it is possible for a user with
administrative privileges (typically domain administrators)
to exploit this vulnerability.

If Cisco Secure ACS is configured to use an external
authentication service such as Windows Active Directory /
Domains or LDAP, the passwords for users stored by those
services are not at risk to compromise via this
vulnerability.

This vulnerability only affects version 3.x of Cisco Secure
ACS for Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco
Secure ACS for UNIX are not vulnerable. Cisco Secure ACS 3.x
appliances do not permit local or remote Windows registry
access and are not vulnerable.

Workaround:

It is possible to mitigate this vulnerability by
restricting access to the registry key containing the
ACS administrators' passwords. One feature of Windows
operating systems is the ability to modify the permissions
of a registry key to remove access even for local or
domain administrators. Using this feature, the registry
key containing the ACS administrators' passwords can be
restricted to only the Windows users with a need to
maintain the ACS installation or operate the ACS services.

The following registry key and all of its sub-keys need to
be protected.

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators

Note: The "CiscoAAAv3.3" portion of the registry key path
may differ slightly depending on the version of Cisco Secure
ACS for Windows that is installed.

There are two general deployment scenarios for Cisco Secure
ACS. The Windows users that need permissions to the registry
key will depend on the deployment type.

* If Cisco Secure ACS is not installed on a Windows domain
controller, access to the registry key should be limited to
only the local Windows SYSTEM account and specific local /
domain administrators who will be performing software
maintenance on the ACS installation.

* If Cisco Secure ACS is installed on a Windows domain
controller, access to the registry key should be limited to
the domain account which ACS is configured to use for its
services, the local Windows SYSTEM account and specific
local / domain administrators who will be performing
software maintenance on the ACS installation.

For information about editing the Windows registry, please
consult the following Microsoft documentation.

"Description of the Microsoft Windows registry"

http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986

Further mitigation against remote exploitation can be
achieved by restricting access to authorized users or
disabling remote access to the Windows registry on systems
running Cisco Secure ACS for Windows. For information on
restricting remote registry access, please consult the
following Microsoft documentation.

"How to restrict access to the registry from a remote computer"

http://support.microsoft.com/kb/q153183

"How to Manage Remote Access to the Registry"

http://support.microsoft.com/kb/q314837

Recommendation:

Follow your organization's testing procedures before
applying patches or workarounds. See Cisco's instructions
on how to place an ACL on the Registry Key, and also how
to restrict remote access to the Windows registry.

These recommendations do not eliminate the vulnerability,
but provide some mitigation.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


CVE-2006-0561

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@symantec.com

For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/

Symantec Vulnerability Research PGP Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com

For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/

Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

- ---------------------------------------------------------------

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from cs_advisories@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe
vKVo3Si7ycswRs/2kiA997I=
=dkX3
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close