Operating System:

[WIN]

Published:

09 May 2006

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2006.0325 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2006.0325 -- [Win]
     Cisco Secure ACS for Windows - Administrator Password Disclosure
                                9 May 2006

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Secure ACS 3.x for Windows
Publisher:         Cisco Systems
Operating System:  Windows
Impact:            Administrator Compromise
Access:            Existing Account
CVE Names:         CVE-2006-0561

Original Bulletin: 
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/tsd_products_security_response09186a0080682950.html

Comment: Note that an attacker would require administrative access to the
         registry of the computer where ACS is installed before this
         issue could be exploited.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Response
==============

This is Cisco PSIRT's response to the statements made by Symantec in
its advisory: SYMSA-2006-003, posted on May 8, 2006.

The original email/advisory is available at:

http://www.symantec.com/enterprise/research/SYMSA-2006-003.txt

This issue is being tracked by Cisco Bug ID:

  * CSCsb67457 ( registered customers only) -- Cisco Secure ACS
    Administrator Password Remote Retrieval and Decryption.

We would like to thank Andreas Junestam and Symantec for reporting
this vulnerability to us.

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
======================

Cisco Secure Access Control Server (ACS) provides centralized
identity management and policy enforcement for Cisco devices.

CSCsb67457 ( registered customers only) -- Cisco Secure ACS
Administrator Password Remote Retrieval and Decryption.

Symptom:

A person with administrative access to the Windows registry of a
system running Cisco Secure ACS 3.x for Windows can decrypt the
passwords of all ACS administrators.

Condition:

Cisco Secure ACS 3.x for Windows stores the passwords of ACS
administrators in the Windows registry in an encrypted format. A
locally generated master key is used to encrypt/decrypt the ACS
administrator passwords. The master key is also stored in the Windows
registry in an encrypted format. Using Microsoft cryptographic
routines, it is possible for a user with administrative privileges to
a system running Cisco Secure ACS to obtain the clear-text version of
the master key. With the master key, the user can decrypt and obtain
the clear-text passwords for all ACS administrators. With
administrative credentials to Cisco Secure ACS, it is possible to
change the password for any locally defined users. This may be used
to gain access to network devices configured to use Cisco Secure ACS
for authentication.

If remote registry access is enabled on a system running Cisco Secure
ACS, it is possible for a user with administrative privileges
(typically domain administrators) to exploit this vulnerability.

If Cisco Secure ACS is configured to use an external authentication
service such as Windows Active Directory / Domains or LDAP, the
passwords for users stored by those services are not at risk to
compromise via this vulnerability.

This vulnerability only affects version 3.x of Cisco Secure ACS for
Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco Secure ACS for
UNIX are not vulnerable. Cisco Secure ACS 3.x appliances do not
permit local or remote Windows registry access and are not
vulnerable.

Workaround:

It is possible to mitigate this vulnerability by restricting access
to the registry key containing the ACS administrators' passwords. One
feature of Windows operating systems is the ability to modify the
permissions of a registry key to remove access even for local or
domain administrators. Using this feature, the registry key
containing the ACS administrators' passwords can be restricted to
only the Windows users with a need to maintain the ACS installation
or operate the ACS services.

The following registry key and all of its sub-keys need to be
protected.

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators

Note: The "CiscoAAAv3.3" portion of the registry key path may differ
slightly depending on the version of Cisco Secure ACS for Windows
that is installed.

There are two general deployment scenarios for Cisco Secure ACS. The
Windows users that need permissions to the registry key will depend
on the deployment type.

  * If Cisco Secure ACS is not installed on a Windows domain
    controller, access to the registry key should be limited to only
    the local Windows SYSTEM account and specific local/domain
    administrators who will be performing software maintenance on the
    ACS installation.
  * If Cisco Secure ACS is installed on a Windows domain controller,
    access to the registry key should be limited to the domain
    account which ACS is configured to use for its services, the
    local Windows SYSTEM account and specific local / domain
    administrators who will be performing software maintenance on the
    ACS installation.

For information about editing the Windows registry, please consult
the following Microsoft documentation.

"Description of the Microsoft Windows registry":

http://support.microsoft.com/default.aspx?scid=kb;EN-US;25698

Further mitigation against remote exploitation can be achieved by
restricting access to authorized users or disabling remote access to
the Windows registry on systems running Cisco Secure ACS for Windows.
For information on restricting remote registry access, please consult
the following Microsoft documentation.

"How to restrict access to the registry from a remote computer":

http://support.microsoft.com/kb/q153183

"How to Manage Remote Access to the Registry":

http://support.microsoft.com/kb/q314837

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at http://www.cisco.com/warp/public/707/
sec_incident_response.shtml. This includes instructions for press
inquiries regarding Cisco security notices. All Cisco security
advisories are available at http://www.cisco.com/go/psirt.


Regards,

Matthew Cerha
Cisco Systems
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFEX8MPllAcl+pm5SIRAgaQAJ9ZaWVMoO3xs+dfSXN6zpAbU/Xb0QCgr6ib
wsUkhulC4o9+4AeLxqlsqqU=
=UGsY
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRF/uySh9+71yA2DNAQLzygQAjAoiYZRovYc0dx9HsaYhqtfV4HIc91Re
nm4jDRdf6N1XhO3iiJH40DbtU6CS9qmHLtRzSHIsaaR/BaNg290hMw+QcSLnIC/3
BJuKdeU4CFZtU41tNHm8hfWLtnLjDKuWMpB3n+McF0ZYU/q1e51iOI0xeDIQnOBj
gvAFZIFlGl0=
=td3t
-----END PGP SIGNATURE-----