Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability

To: ovt@xxxxxxxxxxxx
Subject: Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Thu, 22 Dec 2005 18:37:01 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20051221172710.23949.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <20051221172710.23949.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear ovt@xxxxxxxxxxxx,

--Wednesday, December 21, 2005, 8:27:10 PM, you wrote to 
bugtraq@xxxxxxxxxxxxxxxxx:


orr> Generally speaking the Radius protocol is not appropriate for
orr> doing such things as downloading ACLs or other attributes on behalf
orr> of the user on an "as-needed" basis, as it doesn't separate the
orr> authentication and authorization. Usually this leads to creation of
orr> a fake user with the password "cisco" or "<username>".
orr> Unfortunately this practice is common on Cisco devices.

 You're  100%  right  with  your  statements, but not with conclusion on
 RADIUS usability. Problem described is implementation vulnerability. Of
 cause,  RADIUS was never meant to transmit large amount of data, as ACL
 may be. But this procedure can be done secure. In this scenario

orr> The  protocol used by the PIX to download the ACL works as follows:
orr> 0)  User  goes  to Internet (for example) thru the PIX via HTTP(s).
orr> PIX  asks  a  username  and  a  password. User enters them into the
orr> dialog  window.  1)  PIX  sends  Radius Access-Request to CS ACS to
orr> authenticate  the  user (the user password is encrypted by Radius).
orr> 2)  Radius  server  authenticates  the  user  and  sends  back  the
orr> cisco-av-pair   Vendor-specific  attribute  (VSA)  with  the  value
orr> ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-uacl-43a97a9d. 3) PIX again
orr> sends    Radius    Access-Request    to   authenticate   the   user
orr> #ACSACL#-IP-uacl-43a97a9d.  4) Radius server authenticates the user
orr> and  sends back the ACL body as another cisco-av-pair VSA attribute
orr> (ip:inacl#1= ...).

 It's  possible  to  send  ACL body on step 2 instead of 4, as it should
 according to RADIUS ideology. Of cause, for large ACL whole ACL may not
 fit  in a single RADIUS reply, because RADIUS packet is limited to 4096
 bytes  according to standard. Probably, in Cisco case NAS repeats steps
 3-4  instead  of 1-2 and pseudo-user was implemented for performance in
 case  of  large  ACLs,  because  real user authentication for each loop
 requires  more  resources.  It's  clearly Cisco specific performance vs
 security  design  bug.  Of  cause better solution is to send ACL number
 with RADIUS and receive ACL itself with i.e. TFTP.

-- 
~/ZARAZA
http://www.security.nnov.ru/

References:
- Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
  - From: ovt

Prev by Date: CYBSEC - Security Advisory: httprint Multiple Vulnerabilities
Next by Date: Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
Previous by thread: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
Next by thread: Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
Index(es):
- Date
- Thread