Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2006 > Two Cisco Security Responses: 1. Cisco Secure ACS for Windows - Administrator Password Disclosure 2. PIX/ASA/FWSM Websense/N2H2 Content Filter Bypass

May 2006

Two Cisco Security Responses: 1. Cisco Secure ACS for Windows - Administrator Password Disclosure 2. PIX/ASA/FWSM Websense/N2H2 Content Filter Bypass

ID: 00341
Ref: 334/2006
Date: 09 May 2006:14:13:45
Version: 1
Title: Two Cisco Security Responses: 1. Cisco Secure ACS for Windows - Administrator Password Disclosure 2. PIX/ASA/FWSM Websense/N2H2 Content Filter Bypass
Abstract:
Vendors affected: Cisco
Operating systems affected: Cisco
Applications affected: Cisco
Title
=====
Two Cisco Security Responses:

1. Cisco Secure ACS for Windows - Administrator Password Disclosure

2. PIX/ASA/FWSM Websense/N2H2 Content Filter Bypass

Detail
======

1. A person with administrative access to the Windows registry of a
system running Cisco Secure ACS 3.x for Windows can decrypt the
passwords of all ACS administrators.

2. This is Cisco PSIRT's response to the statements made by George Gal
in his advisory: WebSense Content Filter Bypass in conjunction with
Cisco PIX in packet filter mode, posted on May 08, 2006.




1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Response to Symantec SYMSA-2006-003 Cisco
Secure ACS for Windows - Administrator
Password Disclosure

Document ID: 70091

http://www.cisco.com/warp/public/707/cisco-sr-20060508-acs.shtml

Revision 1.0

For Public Release 2006 May 08 2145 UTC (GMT)

+--------------------------------------------------------------------

Contents

Cisco Response
Additional Information
Revision History
Cisco Security Procedures

+--------------------------------------------------------------------

Cisco Response
==============

This is Cisco PSIRT's response to the statements made by Symantec in
its advisory: SYMSA-2006-003, posted on May 8, 2006.

The original email/advisory is available at:

http://www.symantec.com/enterprise/research/SYMSA-2006-003.txt

This issue is being tracked by Cisco Bug ID:

* CSCsb67457 -- Cisco Secure ACS Administrator Password Remote
Retrieval and Decryption.

We would like to thank Andreas Junestam and Symantec for reporting
this vulnerability to us.

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
======================

Cisco Secure Access Control Server (ACS) provides centralized
identity management and policy enforcement for Cisco devices.

CSCsb67457 -- Cisco Secure ACS Administrator Password Remote
Retrieval and Decryption.

Symptom:
+-------

A person with administrative access to the Windows registry of a
system running Cisco Secure ACS 3.x for Windows can decrypt the
passwords of all ACS administrators.

Condition:
+---------

Cisco Secure ACS 3.x for Windows stores the passwords of ACS
administrators in the Windows registry in an encrypted format. A
locally generated master key is used to encrypt/decrypt the ACS
administrator passwords. The master key is also stored in the Windows
registry in an encrypted format. Using Microsoft cryptographic
routines, it is possible for a user with administrative privileges to
a system running Cisco Secure ACS to obtain the clear-text version of
the master key. With the master key, the user can decrypt and obtain
the clear-text passwords for all ACS administrators. With
administrative credentials to Cisco Secure ACS, it is possible to
change the password for any locally defined users. This may be used
to gain access to network devices configured to use Cisco Secure ACS
for authentication.

If remote registry access is enabled on a system running Cisco Secure
ACS, it is possible for a user with administrative privileges
(typically domain administrators) to exploit this vulnerability.

If Cisco Secure ACS is configured to use an external authentication
service such as Windows Active Directory / Domains or LDAP, the
passwords for users stored by those services are not at risk to
compromise via this vulnerability.

This vulnerability only affects version 3.x of Cisco Secure ACS for
Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco Secure ACS for
UNIX are not vulnerable. Cisco Secure ACS 3.x appliances do not
permit local or remote Windows registry access and are not
vulnerable.

Workaround:
+----------

It is possible to mitigate this vulnerability by restricting access
to the registry key containing the ACS administrators' passwords. One
feature of Windows operating systems is the ability to modify the
permissions of a registry key to remove access even for local or
domain administrators. Using this feature, the registry key
containing the ACS administrators' passwords can be restricted to
only the Windows users with a need to maintain the ACS installation
or operate the ACS services.

The following registry key and all of its sub-keys need to be
protected.

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators

Note: The "CiscoAAAv3.3" portion of the registry key path may differ
slightly depending on the version of Cisco Secure ACS for Windows
that is installed.

There are two general deployment scenarios for Cisco Secure ACS. The
Windows users that need permissions to the registry key will depend
on the deployment type.

* If Cisco Secure ACS is not installed on a Windows domain
controller, access to the registry key should be limited to only
the local Windows SYSTEM account and specific local/domain
administrators who will be performing software maintenance on the
ACS installation.
* If Cisco Secure ACS is installed on a Windows domain controller,
access to the registry key should be limited to the domain
account which ACS is configured to use for its services, the
local Windows SYSTEM account and specific local / domain
administrators who will be performing software maintenance on the
ACS installation.

For information about editing the Windows registry, please consult
the following Microsoft documentation.

"Description of the Microsoft Windows registry":

http://support.microsoft.com/default.aspx?scid=kb;EN-US;25698

Further mitigation against remote exploitation can be achieved by
restricting access to authorized users or disabling remote access to
the Windows registry on systems running Cisco Secure ACS for Windows.
For information on restricting remote registry access, please consult
the following Microsoft documentation.

"How to restrict access to the registry from a remote computer":

http://support.microsoft.com/kb/q153183

"How to Manage Remote Access to the Registry":

http://support.microsoft.com/kb/q314837

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

Revision History
================

+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2006-May-08 | public |
| | | release. |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------

All contents are Copyright 1992-2006 Cisco Systems, Inc. All rights
reserved.


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEX+cV8NUAbBmDaxQRAqN1AJ4zKdy5hB/lrBGRI4QU8NBquOau6gCfTgY4
k1EBCxJ+XjdsjHY3+5E1k68=
=EllD
- -----END PGP SIGNATURE-----



2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Response to PIX/ASA/FWSM Websense/N2H2
Content Filter Bypass

http://www.cisco.com/warp/public/707/cisco-sr-20060508-pix.shtml

Revision 1.0

For Public Release 2006 May 08 1700 UTC (GMT)

+--------------------------------------------------------------------

Contents
========

Cisco Response
Additional Information
Revision History
Cisco Security Procedures

+--------------------------------------------------------------------

Cisco Response
==============

This is Cisco PSIRT's response to the statements made by George Gal
in his advisory: WebSense Content Filter Bypass in conjunction with
Cisco PIX in packet filter mode, posted on May 08, 2006.

The original email/advisory is available at
http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt.

This issue is being tracked by Cisco Bug IDs:

* CSCsc67612 ( registered customers only) -- Fragmented HTTP
Request Websense URL Filtering Bypass Pix 6.3.x
This Bug ID tracks the issue for PIX software version 6.3 and
older. This DDTS is resolved and available in PIX software version
6.3.5(112). Now workarounds exist to eliminate this issue.

* CSCsc68472 ( registered customers only) -- Fragmented HTTP
Request Websense URL Filtering Bypass PIX/ASA 7.x
This Bug ID tracks the issue for PIX/ASA software version 7.x.
This DDTS is resolved and available in PIX/ASA software versions
7.0(5) and 7.1(2). No workarounds exist to eliminate this issue.

* CSCsd81734 ( registered customers only) -- Segmented HTTP request
bypasses Websense/N2H2 URL filtering
This Bug ID tracks the issue for FWSM software version 2.3 and
3.1. This DDTS is resolved and available in FWSM software versions
2.3(4) and 3.1(1.7). No workarounds exist to eliminate this issue.

We would like to thank George Gal of Virtual Security Research for
reporting this issue to us.

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
======================

If various PIX/ASA/FWSM software versions are configured to use
Websense/N2H2 for content filtering, users may be able to bypass HTTP
content restrictions. By fragmenting the GET method of an HTTP
request into multiple packets, it is possible to cause a condition in
which the PIX/ASA/FWSM firewall will mistakenly allow a restricted
website to be accessed. The PIX/ASA/FWSM firewall expects the entire
GET method to be received in one packet. There are no workarounds
which mitigate or eliminate this issue.

PIX software version 6.3.5(112) and later resolves this issue.
Interim releases of PIX 6.3 software are only available by contacting
the Cisco TAC or your Cisco support partner. Please reference this
security response when requesting software to ensure the proper
software version is obtained.

PIX/ASA software versions 7.0(5) and 7.1(2) resolve this issue.
Maintenance releases of PIX/ASA 7.x software may be downloaded at the
following sites.

http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2

FWSM software versions 2.3(4), 3.1(1.7) and later resolve this issue.
FWSM software version 2.3(4) may be downloaded at the following site.

http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2

Interim releases of FWSM 3.1 software are only available by
contacting the Cisco TAC or your Cisco support partner. Please
reference this security response when requesting software to ensure
the proper software version is obtained.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

Revision History
================

+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2006-May-08 | public |
| | | release. |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at http://www.cisco.com/warp/public/707/
sec_incident_response.shtml. This includes instructions for press
inquiries regarding Cisco security notices. All Cisco security
advisories are available at http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SunOS)

iD8DBQFEX4+18NUAbBmDaxQRAi/XAKCG41RWP9Ksd6RO/eq6qsY2zCANCACdH6pL
KyCdqXXm7j+jNpTsHg/osfg=
=6DBE
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |