Cisco Secure ACS Unauthorized Password Change Vulnerability

I just finished testing a solution involving ACS 5.2 and Active Directory, when this “good news” hit me in face. It seems that ACS has a vulnerability that allow an unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password.

You might think that this affects older version of the ACS, but in fact all recent versions are affected by this bug (CSCtl77440):

Vulnerable Products

The following Cisco Secure ACS versions are affected by this vulnerability:

Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed

Cisco Secure ACS version 5.2 without any patches installed

Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed

The previous list applies to both the hardware appliance and the software-only versions of the product.

There is no workaround for this bug, but Cisco recommend some actions to limit this problem. One of the recommendation is to limit the number of machines that have direct access to the ACS environment. If you provide UCP (User Change Password) service, then it is recommended to stop it and don’t allow any machine that offer UCP access to ACS. These actions would help if you have a central management area where you connect remotely in order to access your ACS servers.

Now for some good news. It seems that this vulnerability works only if the user is defined in the ACS internal identity store, so if you are using external identity store like Active Directory you are somehow safe. Here are the situations in which this exploit does not work:

This vulnerability cannot be used to change the password for the following types of users accounts:

User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server

System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface

Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command

This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any user attributes except the user password.

For more information have a look to: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b74117.shtml

The Essentials of CCNA Webinar

I just received an e-mail from Cisco about a free CCNA Webinar. It may be useful for those who want to become a CCNA or just want to know what is CCNA all about.

It’s one of the most recognized certifications in the IT industry today—now find out why so many networking professionals consider the Cisco CCNA® certification one of the most important stepping stones towards building a successful career in information technologies.

This informative, 90-minute webinar highlights the technologies and topics an individual will need to know to achieve their CCNA certification. In addition, The Essentials of CCNA webinar reviews the latest training methods and content available for CCNA, as well as the certifications and career paths available after you’ve achieved your certification. You’ll hear from Cisco Subject Matter Experts who developed the actual CCNA exam and course materials. Plus, the Essentials of CCNA webinar takes a look at the latest training methods and content available for CCNA, as well the certifications and career paths available after you’ve achieved your certification.

The webinar is free and is recommended for individuals who are thinking of becoming CCNA certified, or have just started preparing to take their CCNA exams. Don’t delay, register today.

Event: The Essentials of CCNA webinar
Date: March 30
Time: 8:00 a.m. Pacific Daylight Time
Cost: Free
Registration link: https://cisco.webex.com/cisco/onstage/g.php?t=a&d=204136809

Cisco Interactive Technology Workshop: Video Collaboration

Today, I’ve got an invitation from Cisco to attend their webcast regarding First Steps in Video Collaboration. I believe all of you out there who have a subscription to Cisco.com, got this invitation, but just in case you didn’t, here are the details.

Don’t ask me if this is just a marketing or real technical stuff, but as long as it is free I think it worth spending some time to check this webcast.

This session will help you understand how Cisco Video Collaboration solutions make your working environment more flexible and agile by integrating the different Cisco Video Solutions available at your disposal today. The session will guide you in taking your first steps in experiencing an effective collaborative environment to increase employee productivity, and focus on building the knowledge organization.

Topics include:

Introducing Cisco CIUS

Interactive Video Integration Across Endpoints

Sharing Video

Short Demonstration

Live Q&A

If you have questions about Unified Communication you’ll have the opportunity to do it through live Q&A section.

Join here

If it’s possible let me know, in Comments if you found this session interesting.

Petition for Educational Cisco IOS emulator

The Cisco IOS Emulator Petition

We the undersigned ask Cisco to consider our petition for an open and usable IOS Emulator for learning, study and training.

We are the people who are learning about Data networking and Cisco IOS software. As students and practitioners, we need to learn theory and knowledge and then to take that knowledge and practice on Cisco IOS software.

We want to be able to practice that knowledge, and demonstrate our competence. We know that you are considering the value. This petition is to show our need for this solution. Wendel Odom discusses the possibility Cisco Considers IOS for Certifcation Self Study and we are calling for Cisco to make an option available.

This experience and knowledge we gain gives us the capability to make the most of Cisco equipment for our employers, your customers. We help drive the best return on investment, and keep the network performing in the way that your customers expect.

We can test configurations prior to making and be better prepared. We can develop more complex configurations than would otherwise be possible, and not blame the equipment afterwards.

We resolve problems more quickly, we make better designs and we have greater confidence in our work. We raise less support cases (and reduce your costs) by being to perform our own testing and validation.

Whether we are resellers, consultants, students or just interested in learning, we all need an practical method to access IOS and practice.

Therefore, we are asking Cisco Systems to make a version of IOS available for educational and testing purposes.

by Greg Ferro at Etherealmind

Please sign this petition. Together we can be strong!

Cisco VNI: Mobile Data Traffic Forecast 2011

26X. That’s the amount of increase in traffic the global mobile internet is going to have over a 5 year span from 2010 to 2015, as forecast by the latest iteration of the Cisco Visual Networking Index.

The next lines and video do not belong to me, but they exist thanks to Cisco VNI. Interesting forecast. Who is too bored to read this, check the video at the end.

VNI Global Mobile Data Forecast Growth

As many of you long time readers know there are few things that get me as excited as this data because:

1. While we read about point announcements here or new services there, this gives context to us all and allows us to look at the “forest” vs. just the “trees”.
2. Our customers really, really (is it overdoing it to say “really” again) like this data, which gives us an opportunity to showcase just one of the ways that we strive to be not just a vendor but a partner to them, and it’s always great to spend more time with them.
3. The data is the result of a great team that I am proud to be a part of as well as data feeds from not just third party industry analysts whose forecasts we incorporate, but also that of contributions of over 390,000 people worldwide feeding us their unique, primary data about their network experience directly from their devices.
4. I think big numbers are simply cool.

And big numbers these indeed are. A twenty-six fold increase traffic is staggering, with the global loads increasing from 0.24 exabytes a month in 2010 (an exabyte is a 10 to the 18th power bytes…or a billion gigabytes…not to mention, a fun word to say in its own right) to 6.3 exabytes per month in 2015. On an annual basis, 6.3 exabytes is 75 exabytes a year, which is equivalent to 75 times more traffic all the global mobile and fixed IP traffic in 2000 when anything and everything possible was going on the internet.

75 exabytes is equal to…

75 exabytes is also the equivalent of 536 quadrillion SMS text messages — but it’s not going to be driven by text.

Rather, video is going to be the main driver. In 2011, we forecast that video will pass the tipping point and be responsible for more than 50% of the global mobile IP traffic…in 2015, it will be 66%.

Seem far fetched?

Let’s look at the underlying trends:
* More devices — we forecast by 2015, there will be 5.6 billion personal devices on the mobile internet, plus more than 1.5 billion machine-to-machine connections. Think about your own household. Any new devices connected to the mobile internet? We had 3…and it’s not even getting to our birthday season yet. And all of them featured a lot of screen space just calling out more use of rich media and video. (the bigger the screen size, the higher the resolution of video needed, and the more bandwidth consumed) * Enhanced computing — those newer devices are also packing some punch. Whether it’s smartphones or tablets (the fastest growing device type in our forecast), they are increasingly getting stronger chipsets which make them able to do more, such as running multiple bandwidth consuming applications at once.
* Faster mobile speeds — the mobile network is getting faster and faster (worldwide it more than doubled last year and we forecast it will increase another ten-fold in the next 5 years) and, as history has proven, the faster the network, the more we can do with it…the more we do with it. My sister and brother in-law have fully gone down the path of mobile broadband substitution. With their 4G service, watching a show on their TV connected to their laptop is a breeze. With a smoking fast mobile connection, why wouldn’t we use more video?

By Cisco VNI

Thanks to CiscoSP360