Cisco Secure ACS Unauthorized Password Change Vulnerability

I just finished testing a solution involving ACS 5.2 and Active Directory, when this “good news” hit me in face. It seems that ACS has a vulnerability that allow an unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password.

You might think that this affects older version of the ACS, but in fact all recent versions are affected by this bug (CSCtl77440):

Vulnerable Products

The following Cisco Secure ACS versions are affected by this vulnerability:

  • Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed
  • Cisco Secure ACS version 5.2 without any patches installed
  • Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed

The previous list applies to both the hardware appliance and the software-only versions of the product.

There is no workaround for this bug, but Cisco recommend some actions to limit this problem. One of the recommendation is to limit the number of machines that have direct access to the ACS environment. If you provide UCP (User Change Password) service, then it is recommended to stop it and don’t allow any machine that offer UCP access to ACS. These actions would help if you have a central management area where you connect remotely in order to access your ACS servers.

Now for some good news. It seems that this vulnerability works only if the user is defined in the ACS internal identity store, so if you are using external identity store like Active Directory you are somehow safe. Here are the situations in which this exploit does not work:

This vulnerability cannot be used to change the password for the following types of users accounts:

  • User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server
  • System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface
  • Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command

This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any user attributes except the user password.

For more information have a look to: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b74117.shtml