Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
From: ovt@xxxxxxxxxxxx
Date: 21 Dec 2005 17:27:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi!

The following is the description of the vulnerability in the Cisco 
implementation of downloadable ACLs, which are used by the Cisco PIX firewall 
authentication proxy (aka cut-through proxy) and VPN 3000 concentrators.

When an administrator creates an ACL on the Cisco Secure Access Control Server 
(CS ACS Radius server) it is assigned the internal name 
#ACSACL#-IP-uacl-<random>. For example, the name may be the following: 
#ACSACL#-IP-uacl-43a97a9d. The <random> is changed by CS ACS every time the ACL 
is modified by the administrator. At the same time the internal hidden user 
with the name #ACSACL#-IP-uacl-43a97a9d and the password 
#ACSACL#-IP-uacl-43a97a9d (!) is created by CS ACS. This user is not seen in 
the CS ACS GUI.

The protocol used by the PIX to download the ACL works as follows: 0) User goes 
to Internet (for example) thru the PIX via HTTP(s). PIX asks a username and a 
password. User enters them into the dialog window. 1) PIX sends Radius 
Access-Request to CS ACS to authenticate the user (the user password is 
encrypted by Radius). 2) Radius server authenticates the user and sends back 
the cisco-av-pair Vendor-specific attribute (VSA) with the value 
ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d. 3) PIX again sends 
Radius Access-Request to authenticate the user #ACSACL#-IP-uacl-43a97a9d. 4) 
Radius server authenticates the user and sends back the ACL body as another 
cisco-av-pair VSA attribute (ip:inacl#1= ...).

Vulnerability:

This basically means that everybody with a sniffer can see the username 
#ACSACL#-IP-uacl-43a97a9d which is sent over the network in clear by the Radius 
protocol from the CS ACS server to the PIX. The password of this user is the 
same as the username. If some network device is configured to use the very same 
CS ACS server for login authentication then the sniffed username can be used to 
login to this network device.

Setting Radius IETF attribute Service-type to "Outbound" to prevent using this 
username for logins may not help: 1) it's impossible to set this attribute for 
the user #ACSACL#-IP-uacl-43a97a9d, because the user is not seen in the CS ACS 
Web interface 2) it's not always possible to set it for the "default" group 
(the user #ACSACL#-IP-uacl-43a97a9d always belongs to the "default" CS ACS 
group), because this group may be used for something else 3) some network 
devices (most notably the PIX firewall) ignore the Service-Type attribute (PIX 
firewall 6.x code does not support login authorization at all (!)). Cisco 
routers ignore this attribute if authorization is not configured (only 
authentication is configured).

Generally speaking the Radius protocol is not appropriate for doing such things 
as downloading ACLs or other attributes on behalf of the user on an "as-needed" 
basis, as it doesn't separate the authentication and authorization. Usually 
this leads to creation of a fake user with the password "cisco" or 
"<username>". Unfortunately this practice is common on Cisco devices.

Thx,
Oleg Tipisov,
Moscow

Follow-Ups:
- Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
  - From: Eloy A. Paris
- Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
  - From: 3APA3A

Prev by Date: XSS vulnerabilities in Google.com
Next by Date: MDKSA-2005:235 - Updated kernel packages fix numerous vulnerabilities
Previous by thread: XSS vulnerabilities in Google.com
Next by thread: Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
Index(es):
- Date
- Thread