A vulnerability has been discovered in Cisco's Secure Access Control Server (ACS), a key part of Cisco's trust and identity management framework and one of the cornerstones of the vendor's Network Admission Control (NAC) initiative.
Secure ACS, an identity networking solution that simplifies user management by combining authentication, user and administrator access, and policy control, includes a flaw that could enable attackers to gain administrative access to the Web-based interface used to manage network devices, according to independent security researcher Darren Bounds, who revealed the flaw in a post to the Full Disclosure security mailing list last week.
Secure ACS is essentially the hub of Cisco's NAC framework and it relies heavily on the ability of the user and endpoints to authenticate against a central directory, Bounds said. "Ultimately, compromising Secure ACS grants you administrative access to any devices that the server is responsible for authenticating," said Bounds.
The flaw is "fairly trivial" to exploit because the information to exploit it can be easily acquired and may already exist in some circumstances, Bounds said. For example, many companies handle access to the Secure ACS through a proxy, which means all clients have the same IP address, he noted.
To exploit the flaw, attackers also need to find out which dynamic port is being leveraged by the ACS server for administration purposes, and that information is easy to predict because the current implementation of Secure ACS uses automatic port allocation, Bounds said.