Title: ------ * Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code Summary: -------- * A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable). This bug may be triggered if the length field of an EAP-Response packet has a certain big value, greater than the real packet length. Any EAP-Response can trigger this bug: EAP-Response/Identity, EAP-Response/MD5, EAP-Response/TLS... Affected Products: ------------------ * All versions of Cisco Secure ACS that support EAP, to be more precise, check the Cisco Advisory cisco-sr-20080903-csacs Assigned CVE: ------------- * CVE-2008-2441 Details: -------- * An EAP packet is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Identity... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * For example, the following packet will trigger the vulnerability and crash CSRadius.exe: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2 | 0 | 0xdddd | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | abcd +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attack Impact: -------------- * Denial-of-service and possibly remote arbitrary code execution Attack Vector: -------------- * Have access as a RADIUS client (knowing or guessing the RADIUS shared secret) or from an unauthenticated wireless device if the access point relays malformed EAP frames Timeline: --------- * 2008-05-05 - Vulnerability reported to Cisco * 2008-05-05 - Cisco acknowledged the notification * 2008-05-05 - PoC sent to Cisco * 2008-05-13 - Cisco confirmed the issue * 2008-09-03 - Coordinated public release of advisory Credits: -------- * This vulnerability was discovered by Gabriel Campana and Laurent Butti from France Telecom / Orange