Cisco Secure ACS Weak Session Management Vulnerability June 23, 2006 Product Overview: Cisco Secure Access Control Server (ACS) provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS is a major component of Cisco trust and identity networking security solutions. It extends access security by combining authentication, user and administrator access, and policy control from a centralized identity networking framework, thereby allowing greater flexibility and mobility, increased security, and user productivity gains. Vulnerability Details: A vulnerability has been identified in the Cisco Secure ACS session management architecture which could be exploited by an attacker to obtain full administrative access to the web interface and thus all managed assets (routers, switches, 802.1x authenticated networks, etc). By default, the Cisco Secure ACS web administration login page runs on TCP port 2002. Upon successful authentication, the client is then redirected to a dynamicand unique HTTP server port between 1024 and 65535. Once authenticated, ACS relies solely upon the port and the client IP address to validate the session. Clearly one can think of many somewhat trivial techniques for acquiring the necessary IP address or senarios where the attacker may already share the same source IP as the administrator (proxies, NATing devices). Now it's merely a matter of identifying the port allocated for the administrative interface. This is easily accomplished as ACS follows a simple incrementation process for port allocation. Affected Versions: Cisco Secure ACS 4.x for Windows Legacy versions may also be affected. Workarounds: Configure ACLs within Cisco Secure ACS to restrict access to the web interface from only 'secure' network address space. Cisco has confirmed this vulnerability and is working on a patch. References: http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html -- Thank you, Darren Bounds