Cisco NAC vulnerable to attack

Cisco Systems has issued an advisory about two serious software vulnerabilities in one of its network access control products, Cisco NAC Appliance, also known as Cisco Clean Access (CCA).

Cisco NAC Appliance, which checks that external devices attempting to log on to a company network are compliant with security policy, contains two flaws that an attacker could use to gain control of the devices, or compromise sensitive information including passwords.

The NAC Appliance includes software that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access a network. Clean Access consists of two applications that work in tandem — Clean Access Manager (CAM) and Clean Access Server (CAS).

For the CAM to authenticate to the CAS, each holds a "shared secret" — pieces of information which, when combined, allow authentication to occur. It appears, though, that this system is flawed in older versions of the software.

According to the Cisco advisory, the vulnerability — called "unchangeable shared secret" — means the shared secret cannot be properly set or changed during setup. This also means that the shared secret will be the same across all affected devices, which drastically reduces its cryptographic effectiveness.

To exploit this vulnerability the adversary must first be able to establish a TCP connection to the CAS.

Successful exploitation of the unchangeable shared secret vulnerability may enable a malicious user to take administrative control of a CAS. After that, every aspect of CAS can be changed including its configuration and setup, said Cisco.

Versions affected by this vulnerability are CCA releases 3.6.x to 3.6.4.2 and releases 4.0.x to 4.0.3.2.

Releases that contain the fix for this vulnerability are 3.6.4.3, 4.0.4 and 4.1.0. All subsequent releases already contain a fix.

An alternative is to install patch Patch-CSCsg24153.tar.gz which is available from Cisco's website.

The second vulnerability, called "readable snapshots", means that manual backups of the database — or "snapshots" — taken on the CAM are susceptible to brute force download attacks. A malicious user can guess the file name and download it without authentication. The file itself is not encrypted or otherwise protected.

The snapshot contains sensitive information that can aid in attacks on the CAS, or can be used to compromise the CAM. Among other things, the snapshot can contain passwords in cleartext.

Versions affected by the readable snapshots vulnerability are CCA releases 3.5.x to 3.5.9 and releases 3.6.x to 3.6.1.1.

Releases that contain the fix for this vulnerability are 3.5.10 and 3.6.2. All subsequent releases will contain the fix, said Cisco.

No patch is available for the readable snapshots vulnerability, but a workaround is possible by removing snapshot files from the device shortly after they are created. If the snapshot file needs to be preserved then it can be moved to a different computer or archived on a secondary storage, said Cisco. Alternatively, the snapshot file can be deleted from the device.

There are currently no known exploits for either vulnerability. The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities.

The readable snapshot issue was reported to Cisco by Chris Hartley from Ohio State University. The unchangeable shared secret was discovered while working on a Cisco customer's case and is unrelated to Hartley's report, according to Cisco.