Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Cisco Secure Access Control System Vendors:   Cisco
Cisco Secure Access Control Server EAP-TLS Bug Lets Remote Users Be Authenticated Without Proper Credentials
SecurityTracker Alert ID:  1012046
SecurityTracker URL:
CVE Reference:   CVE-2004-1099   (Links to External Site)
Updated:  Dec 1 2004
Original Entry Date:  Nov 2 2004
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.3.1
Description:   A vulnerability was reported in Cisco Secure Access Control Server in the processing of EAP-TLS authentication data. A remote user can gain access to the network.

It is reported that a remote user can supply a certificate that is cryptographically correct (i.e., with all the proper fields and information) and has a valid username to gain access to the network, even if the certificate is not signed by a trusted authority.

Impact:   A remote user can gain access to the entire network that is protected by Cisco Secure ACS.
Solution:   The vendor has issued a fixed version (3.3.2).

Users of the affected version Cisco Secure Access Control Server can upgrade or can replace the current CSCRL.dll Windows Dynamic Link Library (DLL) in the Windows System32 folder with a fixed DLL and restart Cisco Secure ACS for Windows. Replacing the DLL fixes the problem and does not require a full upgrade.

The DLL fix ( for Cisco Secure Access Control Server is available at:

An upgrade package for the DLL fix ( for Cisco Secure ACS Solution Engine is available at:

Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC