SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Cisco Secure Access Control System Vendors:   Cisco
Cisco Secure ACS May Disclose Administrator Passwords to Local or Remote Authenticated Users
SecurityTracker Alert ID:  1016042
SecurityTracker URL:  http://securitytracker.com/id/1016042
CVE Reference:   CVE-2006-0561   (Links to External Site)
Updated:  Dec 5 2009
Original Entry Date:  May 9 2006
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  
Version(s): 3.x
Description:   A vulnerability was reported in Cisco Secure Access Control Server (ACS). A local administrator can obtain the passwords of all ACS administrators.

A local administrative user or remote authenticated administrative user with access to the Windows registry can obtain from the registry a clear text version of the master key used to encrypt ACS administrator passwords. With this key, the user can decrypt all ACS administrator passwords.

With administrative credentials, the user can then change the password for any locally defined users. As a result, the user may be able to gain access to network devices that are configured to use Cisco Secure ACS for authentication.

Cisco has assigned Cisco Bug ID CSCsb67457 to this vulnerability.

Cisco Secure ACS for Windows 4.0.1 and Cisco Secure ACS for UNIX are not affected.

Cisco Secure ACS version 3.x appliances are not affected because they do not permit local or remote Windows registry access.

Andreas Junestam and Symantec reported this vulnerability.

Impact:   A local administrator or remote authenticated administrator can obtain the passwords of all ACS administrators.
Solution:   No solution was available at the time of this entry.

A workaround is described in the Cisco advisory, available at:

http://www.cisco.com/warp/public/707/cisco-sr-20060508-acs.shtml

Vendor URL:  www.cisco.com/warp/public/707/cisco-sr-20060508-acs.shtml (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC