cisco nac bypass vulnerability - cisco trust agent

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: cisco nac bypass vulnerability - cisco trust agent
From: thorben schroeder <thorben@xxxxxxxxx>
Date: Mon, 8 Jan 2007 20:29:23 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: thorben <thorbenatgawabcom@xxxxxxxxxxxxxxxxx>

hello list,
the  cisco  network  admission control system gives an adminitrator the
chance  to  check  the  clients,  whether  they have installed certain
patches / hotfixes. this check is not reliable.

programm version: cisco trust agent 2.0.1.14 (probably all versions)
os: windows xp sp2
vendor informed: yes (got only automated feedback mail)
severity: low - med

vulnerability:  the cta checks the patch level only with some registry
queries which can be manipulated

example:
- "Cisco:Host:Hotfix contains KB919007" as posture validation
- the KB919007 hotfix is not installed!
- copy the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows
XP\SP3\KB873339 key and change it into a KB919007 key
- result: client is healty

regards
thorben

Follow-Ups:
- Re: cisco nac bypass vulnerability - cisco trust agent
  - From: Stefano Zanero

Prev by Date: [SECURITY] [DSA 1247-1] New libapache-mod-auth-kerb packages fix remote denial of service
Next by Date: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: [SECURITY] [DSA 1247-1] New libapache-mod-auth-kerb packages fix remote denial of service
Next by thread: Re: cisco nac bypass vulnerability - cisco trust agent
Index(es):
- Date
- Thread