|
Brought to you by:
Suppliers of:
|
|
|
| |
Cisco Security Agent Management Center (CSAMC) contains an administrator authentication bypass vulnerability when configured to use an external Lightweight Directory Access Protocol (LDAP) server for authentication.
Successful exploitation of this vulnerability allows an attacker with a valid administrator username to gain access to the CSAMC application with the role privileges of the compromised administrator account. |
| |
Credit:
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20061101-csamc.shtml
|
| |
Vulnerable Systems:
* CSAMC version 5.1 prior to Hotfix 5.1.0.79
Immune Systems:
* CSAMC versions prior to 5.1
Cisco Security Agent Management Center (CSAMC) version 5.1 contains an administrator authentication bypass vulnerability when configured to authenticate administrators against an external LDAP server.
There are three roles for CSAMC administrators: configure, deploy, and monitor. The configure role has complete access to the CSAMC application, including the ability to create security policies. The deploy role can create agent kits, deploy security policies, and perform application monitoring. The deploy role cannot modify security policies. The monitoring role can only perform application monitoring functions.
All CSAMC administrator accounts are defined in the local CSAMC database and have an assigned role. CSAMC can be configured to use an external LDAP server to authenticate administrators. As a safety feature, it is possible to specify certain administrator accounts to fall back to local authentication if the LDAP server is unavailable.
If CSAMC is configured to use LDAP for authentication, it is possible to supply a valid administrator username and blank (zero length) password and gain administrative access to the CSAMC application with the role privileges of the administrator. This vulnerability occurs when CSAMC incorrectly handles an authentication failure message from the LDAP server. The administrator password stored on the LDAP server is a valid, non-blank password.
CSAMC version 5.1 is the first to include external LDAP authentication. LDAP authentication is not the default configuration for CSAMC and must be explicitly configured. The LDAP server in this configuration is not built into CSAMC.
Information on configuring administrator LDAP authentication for CSAMC can be found here:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_chapter09186a008066e98e.html#wp994975
Information on configuring role-based administration for CSAMC can be found here:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_chapter09186a008066e98e.html#wp965432
This vulnerability is documented in Cisco Bug ID CSCsg40822
If the administrator has a role of configure or deploy, it is possible to make policy changes for managed CSA clients. This may be leveraged to reduce the security posture of managed systems and allow potential
attacks against the managed systems.
Fix:
Fixed CSAMC (fcs-csamc-hotfix-5.1.0.79-w2k-k9.zip) software can be downloaded at:
http://www.cisco.com/cgi-bin/tablebuild.pl/csahf-crypto?psrtdcat20e2
Workaround:
It is possible to workaround this vulnerability by disabling external LDAP authentication and configuring administrators to authenticate against the local CSAMC database.
Disclosure Timeline:
* 2006-November-01 - Initial public release.
|
|
|
|
|
