Cisco fixes critical bug that exposed networks to hackers

The bug had a rare 9.8 out of 10 score on the common vulnerability severity rating scale.
Written by Zack Whittaker, Contributor

(Image: ZDNet)

A "critical"-rated bug in one of Cisco's network access management devices could have allowed hackers to remotely break into corporate networks.

The bug was found in Cisco's Secure Access Control System (ACS), which system administrators use to authenticate users across a network. Although the vulnerability had a 9.8 out of 10 score on the common vulnerability severity rating, details remained scarce.

Now, two security researchers at Positive Technologies, which reported the bug to Cisco, explained that an attacker could gain near-unfettered access to a corporate network.

According to the researchers, an attacker already on the network could collect or modify the credentials of users on network devices and perform man-in-the-middle attacks.

If a device was accessible to the internet, the device would be at far greater risk of remote attacks.

"If Cisco ACS is integrated with Microsoft Active Directory -- which is often the case -- an attacker can steal the credentials of the domain administrator," said Mikhail Klyuchnikov, who discovered the bug. Even without Active Directory integration, an attacker can still control connected routers and firewalls to intercept and modify traffic on the network -- or even gain access to closed-off sensitive areas of the network.

The issue at hand is how the server handles messages in AMF3, a binary format that's used in various programming languages, including Python, Perl, but also Flash and Java. In this case, an attacker can put a malicious Java object into a format that's suitable for sending over a network, so when the server loads the object, it runs the malicious code.

Cisco's Secure Access Control System is no longer on sale and reached its end-of-life last year, but the networking giant fixed the bug last month.

A spokesperson for Cisco told ZDNet that the company doesn't expand on vulnerabilities in its security reports but confirmed that the report by Positive was accurate.

It's not known how many devices are affected, the spokesperson said, and the company's Product Security Incident Response Team said the company is "not aware of any malicious use of this vulnerability".

Editorial standards