Cisco Secure ACS EAP Parsing Vulnerability

2008.09.06
Credit: Laurent Butti
Risk: High
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: ------ * Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code Summary: -------- * A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable). This bug may be triggered if the length field of an EAP-Response packet has a certain big value, greater than the real packet length. Any EAP-Response can trigger this bug: EAP-Response/Identity, EAP-Response/MD5, EAP-Response/TLS... Affected Products: ------------------ * All versions of Cisco Secure ACS that support EAP, to be more precise, check the Cisco Advisory cisco-sr-20080903-csacs Assigned CVE: ------------- * CVE-2008-2441 Details: -------- * An EAP packet is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Identity... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * For example, the following packet will trigger the vulnerability and crash CSRadius.exe: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2 | 0 | 0xdddd | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | abcd +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attack Impact: -------------- * Denial-of-service and possibly remote arbitrary code execution Attack Vector: -------------- * Have access as a RADIUS client (knowing or guessing the RADIUS shared secret) or from an unauthenticated wireless device if the access point relays malformed EAP frames Timeline: --------- * 2008-05-05 - Vulnerability reported to Cisco * 2008-05-05 - Cisco acknowledged the notification * 2008-05-05 - PoC sent to Cisco * 2008-05-13 - Cisco confirmed the issue * 2008-09-03 - Coordinated public release of advisory Credits: -------- * This vulnerability was discovered by Gabriel Campana and Laurent Butti from France Telecom / Orange

References:

http://www.securityfocus.com/archive/1/archive/1/495937/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top