Add a security error in Cisco products
A security hole in the Cisco Secure Access Control Server (ACS) has just been discovered and published.
Cisco Secure Access Control Server (ACS) is an important part of Cisco's identity and trust management framework. This is also one of the cornerstones of the Cisco Network Admission Control (NAC) initiative.
Secure ACS is an identity network solution that simplifies user management by combining authentication access, users, and administrators with management policies.
Security vulnerabilities arising in Secure ACS can allow hackers to gain administrative-level access to the network device management software web interface.
Darren Bounds - an independent security researcher who discovered and disclosed the vulnerability information through the full Disclosure email list.
Secure ACS is an important match in the Cisco NAC frame system. Secure Evil is mainly based on the ability of users and terminals to authenticate access to central directories.
" Unfortunately, if you successfully exploit a security error in an attacker's Secure ACS, you can gain administrative level access to any device that the ACS server holds between access certificates ," said Bounds. .
This security error is quite easy to exploit because the information needed to exploit can easily be collected or already exist in some cases. For example, many companies handle granting Secure ACS access through a proxy - or that means all clients have the same IP address.
To exploit this security vulnerability, an attacker needs to find a dynamic port managed by the ACS server. This information is easy to find because most Secure ACs now use automatic port provisioning.
" It's easy to predict whether the administrator is logged in to find out which port they're using. And since only about 65,000 combined ports are used, the attacker can simply run through every port. discovered the port he needed , "added Bounds.
Yesterday, Cisco Product Security Incident Response Team (PSRIT) said it was investigating more about this security vulnerability.
Hoang Dung
- Cisco and F-Secure have trouble with their own products
- Cisco router error beats the network
- 10 worst moments of security industry
- Cisco 3-hole vulnerability in IOS
- A series of Cisco products have serious errors
- Cisco warns of a serious security error CallManager
- Cisco warned a new security vulnerability in ASA and PIX
- Cisco has to fix product security
- Cisco VPN devices may be subject to DoS attacks
- Cisco warns 2 serious security errors
- 7 Cisco security tips
- Cisco chooses FPT distribution company as a partner