<<< Date Index >>>     <<< Thread Index >>>

DoS in Cisco Clean Access



Date of release: 16/12/2005
Software: Cisco Clean Access/Perfigo CleanMachines 
(http://www.cisco.com/en/US/products/ps6128/index.html)
Affected versions: Tested on 3.5.5, assumed all <=current.
Risk: Medium/High
Discovered by: Alex Lanstein 

Background
--------
Cisco Clean Access is an easily deployed Network Admission Control solution 
that can automatically detect, isolate, and clean infected or vulnerable 
devices that attempt to access your network - regardless of the access method. 
It identifies whether networked devices such as laptops, personal digital 
assistants, or even game consoles are compliant with your network's security 
policies, and repairs any vulnerabilities before permitting access to the 
network.

The software that is affected resides on the Secure Smart Manager, not the 
Secure Smart Server.  

Details
-------
The method below has the possibility to create a denial of service on a few 
layers.  One, a user without a username or password can use the vulnerability 
to upload files to a web visable folder for fun and profit.  The user could 
also fill up the drive as it seems, aside from /boot, the rest of the drive is 
one big partition.  Filling up the drive would most definately cause the system 
to lock up in its current configuration.  

In /admin/uploadclient.jsp there is a lack of authentication check so that 
anyone who browses to the page can upload files directly to the web visable 
folder /installer/windows.  This is clearly unacceptable.

Similar types of attacks can be launched from apply_firmware_action.jsp and 
file.jsp.  

Solution(s)
--------
The vendor, Cisco Systems, should prepend _all_ files, especially all .jsp 
files, with an authentication check.  This seems to be the case with most, but 
not all of the files.  

The vendor should also use a better partitioning scheme in its installs.

Managers of these systems should add some sort of overall .htaccess/.htpasswd 
system while they are waiting for the vendor patch, as I'm sure that under 
further investigation by the engineers many more files are affected than those 
listed above.

External discussion and developments:
be .aware | http://www.awarenetwork.org/forum/viewtopic.php?p=2236