-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is in response to the email posted by 'llhansen-bugtraq@xxxxxxxxx' on August 19, 2005. The original email is available at http://www.securityfocus.com/archive/1/408603/30/0/threaded . Attached: a cleartext, PGP signed version of this same email. Hi llhansen, While it is correct that a user can modify the 'User-Agent' string on access to the CCA Server authentication page in order to prevent installation of the CCA Agent, there are some things that should be clarified: 1) Users cannot bypass authentication irrespective of the value of the 'User-Agent' string provided. Hence, there is no danger of invalid users (users with no credentials or invalid credentials) getting onto the network. 2) If there is the suspicion that a malicious user might try to masquerade as non-Windows machines, e.g. Linux, in order to bypass CCA Agent installation, the administrator can define Network Scanning rules on the CCA Manager and use Nessus scans to determine the real OS in use. This will catch users that are masquerading. For this, the CCA administrator can either obtain the appropiate plug-ins from Tenable or www.nessus.org - as an alternative, users can write and integrate their own plugins. 3) Furthermore, if the malicious user installs a personal firewall or similar software, in order to make the network scan timeout, CCA provides options to quarantine the malicious user if the network scan times out. Hence, such users can also get quarantined, following which administrators can determine whether the user is masquerading or not. CCA continues to evolve and include safeguards to prevent malicious users from trying to bypass the checks in place. Thank you for your work on this problem. As always, working with the Cisco PSIRT team is the best way to verify the accuracy of information before posting it publicly. We do greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist with Product Security Advisories. Our ultimate goal is to ensure that customers have accurate information on which to base upgrade and workaround decisions and we welcome partnership with researchers towards that goal. Thanks, Dario Quidquid latine dictum sit, altum viditur Dario Ciccarone CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. dciccaro@xxxxxxxxx > -----Original Message----- > From: llhansen-bugtraq@xxxxxxxxx [mailto:llhansen-bugtraq@xxxxxxxxx] > Sent: Friday, August 19, 2005 12:30 PM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Cisco Clean Access Agent (Perfigo) bypass > > Description: > Cisco Clean Access is an easily deployed software solution > that can automatically detect, isolate, and clean infected or > vulnerable devices that attempt to access your network. It > identifies whether networked devices such as laptops, > personal digital assistants, even game consoles are compliant > with your network's security policies and repairs any > vulnerabilities before permitting access to the network. > > Vendor site: > http://www.cisco.com/en/US/products/ps6128/ > > Affected versions: > This works in at least 3.5.3.1 and 3.5.4. > > Discovery Date: > 2005-08-12 > > Report Date: > 2005-08-19 > > Severity: > Medium > > Vulnerability: > End users can bypass the "mandatory" installation of the > Clean Access Agent by changing the User-Agent string of their > browser. This allows them to connect to the network without > the host-based checks being run. If configured, remote checks > are still run. > -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQwni8IyVGB+6GuDwEQIruwCdF/lpHQCavH7KKNtYk2RGLycAyPkAoN1W J9PSv19tU6lDJB39nR1Hiteg =FrBo -----END PGP SIGNATURE-----
Attachment:
cisco-bugtraq-cca-final.txt.asc
Description: cisco-bugtraq-cca-final.txt.asc