In-Depth

News in Brief

Cisco Secure Access Control Server; more on Snort

• By Mathew Schwartz
• 05/07/2003

Cisco Secure Access Control Server (ACS) Windows versions up to and including version 2.6.4 , 3.0.3, and 3.1.1, are susceptible to a username buffer overflow. Unix versions of Cisco Secure ACS are not effected.

ACS centralizes administration of user authentication, authorization and account information for up to thousands of enterprise gateways (e.g., firewalls and VPNs). Cisco Secure ACS for Windows provides a Web-based management interface, termed CSAdmin, which listens on TCP port 2002. If CSAdmin receives an especially long username, it can cause a buffer overflow. Hence an attacker could use a long username to freeze the server, perhaps gain local privileges, execute code, change all access configurations in ACS, or gain complete remote access.

Cisco has released a software fix. Users should apply patch files to repair the CSAdmin program. Future versions of CSAdmin will have the repair built in as well. In addition, companies can block access to port 2002 (TCP) at the network perimeter.

Link: http://www.cisco.com/warp/public/707/cisco-sa-20030423-ACS.shtml

Snort Exploit Released

As reported last week, a vulnerability in Snort, the free, open source packet sniffing tool for detecting network intrusion detections, could lead to denial of service attacks or remote command execution on a host running Snort. In particular, the Snort TCP reassembly preprocessor is vulnerable.

The newly released code attempts to cause a remote exploit by creating a remote shell to the attacker’s computer.

Users who haven’t patched effected versions of Snort (1.8 to 1.9.1, plus Snort CVS) are advised to do so immediately.

Link to code exploit: http://packetstormsecurity.nl/0304-exploits/p7snort191.sh

For more information on Snort, visit http://www.snort.org/