Vulnerabilities > CVE-2008-2441 - Resource Management Errors vulnerability in Cisco Secure Access Control Server and Secure ACS

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cisco
CWE-399
nessus

Summary

Cisco Secure ACS 3.x before 3.3(4) Build 12 patch 7, 4.0.x, 4.1.x before 4.1(4) Build 13 Patch 11, and 4.2.x before 4.2(0) Build 124 Patch 4 does not properly handle an EAP Response packet in which the value of the length field exceeds the actual packet length, which allows remote authenticated users to cause a denial of service (CSRadius and CSAuth service crash) or possibly execute arbitrary code via a crafted RADIUS (1) EAP-Response/Identity, (2) EAP-Response/MD5, or (3) EAP-Response/TLS Message Attribute packet.

Vulnerable Configurations

Part Description Count
Application
Cisco
1
Hardware
Cisco
1

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SR-20080903-CSACS.NASL
descriptionThe version of Cisco Secure Access Control System (ACS) running on the remote host has a memory corruption vulnerability. The length of EAP-Response packets is not properly parsed. Remote code execution could be possible, but has not been confirmed. A remote, unauthenticated attacker could exploit this to execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id69134
published2013-07-30
reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/69134
titleCisco Secure ACS EAP Parsing Vulnerability (cisco-sr-20080903-csacs)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69134);
  script_version("1.8");
  script_cvs_date("Date: 2018/11/15 20:50:20");

  script_cve_id("CVE-2008-2441");
  script_bugtraq_id(30997);
  script_xref(name:"CISCO-BUG-ID", value:"CSCsq10103");
  script_xref(name:"CISCO-SR", value:"cisco-sr-20080903-csacs");

  script_name(english:"Cisco Secure ACS EAP Parsing Vulnerability (cisco-sr-20080903-csacs)");
  script_summary(english:"Checks ACS version");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote host is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Cisco Secure Access Control System (ACS) running on the
remote host has a memory corruption vulnerability.  The length of
EAP-Response packets is not properly parsed.  Remote code execution
could be possible, but has not been confirmed.  A remote,
unauthenticated attacker could exploit this to execute arbitrary code."
  );
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080903-csacs
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5e6f80d4");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Sep/33");
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade to the relevant Cisco Secure Access Control System version
referenced in Cisco Security Response cisco-sr-20080903-csacs."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2008/09/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:secure_acs");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_secure_acs_version.nasl");
  script_require_keys("Host/Cisco/ACS/Version", "Host/Cisco/ACS/DisplayVersion");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("Host/Cisco/ACS/Version");
display_ver = get_kb_item_or_exit("Host/Cisco/ACS/DisplayVersion");

if (ver =~ "^3\.")
  fix = '3.3.4.12.8';
else if (ver =~ "^4\.0\.")
  fix = 'n/a (contact Cisco)';
else if (ver =~ "^4\.1\.")
  fix = '4.1.4.13.11';
else if (ver =~ "^4\.2\.")
  fix = '4.2.0.124.4';
else
  fix = NULL; # the software is no vulnerable, no fix is needed

if (
  isnull(fix) ||
  ('n/a' >!< fix && ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)
)
{
  audit(AUDIT_INST_VER_NOT_VULN, 'Secure ACS', display_ver);
}

if (report_verbosity > 0)
{
  report =
    '\n  Installed version : ' + display_ver +
    '\n  Fixed version     : ' + fix + '\n';
  security_hole(port:0, extra:report);
}
else security_hole(0);

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 30997 CVE ID:CVE-2008-2441 CNCVE ID:CNCVE-20082441 Cisco Secure ACS是一款Cisco网络设备的中央管理平台,用于控制设备的认证和授权。 Cisco Secure ACS不正确解析EAP-Response报文长度,远程攻击者可以利用漏洞对服务程序进行拒绝服务攻击或可能导致任意代码执行。 远程攻击者(作为RADIUS客户端)可以针对Cisco Secure ACS服务器发送EAP应答报文,可导致CSRadius服务不稳定或崩溃。设置EAP-Response报文的长度字段为一定大小的值,如大于实际报文长度,可触发此漏洞。任意EAP-Response报文如EAP-Response/Identity, EAP-Response/MD5, EAP-Response/TLS可利用此漏洞。 触发漏洞后在Windows事件查看器中会提示错误消息“&quot;The CSAuth service terminated unexpectedly&quot;和&quot;The CSRadius service terminated unexpectedly&quot;。 Cisco Virtual Central Office 4000 (VCO/4K) 4.1(1) build 23 Cisco Secure ACS for Windows 4.1 Cisco Secure Access Control Server 4.0.1 Cisco Secure Access Control Server 3.3.2 Cisco Secure Access Control Server 3.3.1 Cisco Secure Access Control Server 3.3 (1) Cisco Secure Access Control Server 3.3 Cisco Secure Access Control Server 3.2.2 Cisco Secure Access Control Server 3.2.1 Cisco Secure Access Control Server 3.2 (3) Cisco Secure Access Control Server 3.2 (2) Cisco Secure Access Control Server 3.2 (1.20) Cisco Secure Access Control Server 3.2 (1) Cisco Secure Access Control Server 4.1 Cisco Secure Access Control Server 4.0 Cisco CiscoSecure ACS for Windows 3.2 Cisco CiscoSecure ACS for Windows 3.1 供应商提供了最新的升级程序: Cisco Secure ACS for Windows 4.1 Cisco CS ACS for Windows <a href=http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des target=_blank>http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des</a>
idSSV:3987
last seen2017-11-19
modified2008-09-10
published2008-09-10
reporterRoot
titleCisco Secure ACS EAP-Response报文解析拒绝服务漏洞