[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability
From: Cisco Systems Product Security Incident Response Team <psirt () cisco ! com>
Date: 2013-08-28 16:00:26
Message-ID: 201308281200.6.acs () psirt ! cisco ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution \
Vulnerability
Advisory ID: cisco-sa-20130828-acs
Revision 1.0
For Public Release 2013 August 28 16:00 UTC (GMT)
+----------------------------------------------------------------------
Summary
=======
A vulnerability in the EAP-FAST authentication module of Cisco Secure Access Control \
Server (ACS) versions 4.0 through 4.2.1.15 could allow an unauthenticated, remote \
attacker to execute arbitrary commands on the Cisco Secure ACS server. This \
vulnerability is only present when Cisco Secure ACS is configured as a RADIUS server.
The vulnerability is due to improper parsing of user identities used for EAP-FAST \
authentication. An attacker could exploit this vulnerability by sending crafted \
EAP-FAST packets to an affected device. An exploit could allow the attacker to \
execute arbitrary commands on the Cisco Secure ACS server and take full control of \
the affected server.
There are no workarounds for this vulnerability.
Cisco has released free software updates that address this vulnerability. This \
advisory is available at the following link: \
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130828-acs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
iF4EAREKAAYFAlId9U8ACgkQUddfH3/BbTq1hgD9E1+zaqDXuMB+3vutKxeVWOm1
SZu8LlzZCoI7y+J9fnYA/2PiBWLsMJULUwdntZGqimWru7mXOe8OSQhaYJSglW3r
=6OJl
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic