Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)

AD-2015-01


Cisco Secure Access Control Server Multiple Vulnerabilities

Updated: January 13, 2015

Severity Rating: High

Overview:

Multiple vulnerabilities have been identified in Cisco Secure Access Control Server and they can be exploited by remote attackers to conduct redirection attacks, conduct cross site scripting attack and cause execution of arbitrary code and improper privilege validation.

Cisco has released an update to address the vulnerabilities.

Description:

Multiple vulnerabilities have been identified in Cisco Secure Access Control Server and they can be exploited by remote attackers to conduct redirection attacks, conduct cross site scripting attack and cause execution of arbitrary code and improper privilege validation. The vulnerabilities reported are as follows:

·         A vulnerability exists in the web interface of Cisco Secure Access Control Server (ACS) and this could allow a remote attacker to conduct a web page open redirection attack against a user’s browser. The vulnerability is due to insufficient input validation of a specific parameter. This vulnerability can be exploited by remote attacker to persuade a user to access a malicious link.

·         A vulnerability occurs because the web interface does not properly filter HTML code from user-supplied input before displaying the input. This vulnerability can allow a remote attacker to create a specially crafted URL that when loaded by a user, will cause arbitrary scripting code to be executed by the target user’s browser. The code will originate from the site running the Cisco Secure Access Control Server software and will run in the security context of that site. As a result, the code will be able to access the target user’s cookies if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

·         A vulnerability exists in the Role Based Access Control component of Cisco Secure Access Control Server (ACS) and this could allow an authenticated, remote attacker to exceed their authorization level. The vulnerability is due to improper privilege validation. An attacker could exploit this vulnerability by sending crafted HTTP requests to the ACS server. This vulnerability can be exploited by a remote attacker to do Create, Read, Update and Delete operations on any Network Identity Group with privileges that should be limited to a Network Device Administrator.

Cisco has released an update to address the vulnerabilities.

 

Affected Systems:

·         Cisco Secure Access Control System (ACS)

CVE Information

CVE-2014-8029

CVE-2014-8028

CVE-2014-8027

Solution

Users are advised to apply updates.

More information about the update is available on:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8029

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8027

References

Cisco Security Advisory

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8029

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8027

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8028

Security Tracker

http://www.securitytracker.com/id/1031515

http://www.securitytracker.com/id/1031516

http://www.securitytracker.com/id/1031514

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

E-mail: contact@cert.ncb.mu

Postal address

Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
9th Floor, Stratton Court
La Poudriere Street
Port Louis