The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Secure ACS

computer vulnerability announce CVE-2010-0146 CVE-2010-0147 CVE-2010-0148

Cisco Security Agent: three vulnerabilities

Synthesis of the vulnerability

An attacker can use three vulnerabilities of Cisco Security Agent, in order to access to files, to inject SQL, or to create a denial of service.
Impacted products: Secure ACS, Cisco CallManager, Cisco MeetingPlace, Cisco Unity ~ precise.
Severity: 3/4.
Consequences: data reading, data creation/edition, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 17/02/2010.
Identifiers: 111512, 111742, BID-38271, BID-38272, BID-38273, CERTA-2010-AVI-086, cisco-sa-20100217-csa, CSCtb89870, CSCtd73275, CSCtd73290, CVE-2010-0146, CVE-2010-0147, CVE-2010-0148, VIGILANCE-VUL-9457.

Description of the vulnerability

Three vulnerabilities were announced in Cisco Security Agent, which can be installed with several Cisco products.

When a server uses the Management Center of Cisco Security Agent version 6.0, an attacker can use a query traversing the root directory, in order to access to a file located on the system. [severity:3/4; BID-38271, CERTA-2010-AVI-086, CSCtd73275, CVE-2010-0146]

When a server uses the Management Center of Cisco Security Agent version 5.1, 5.2 or 6.0, an attacker can use a SQL injection, in order to alter data. [severity:3/4; BID-38272, CSCtd73290, CVE-2010-0147]

When a server uses Cisco Security Agent 5.2, an attacker can generate a denial of service. [severity:2/4; BID-38273, CSCtb89870, CVE-2010-0148]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-3555

TLS, OpenSSL, GnuTLS: vulnerability of the renegotiation

Synthesis of the vulnerability

A remote attacker can use a vulnerability of TLS in order to insert plain text data during a renegotiation via a man-in-the-middle attack.
Impacted products: Apache httpd, ArubaOS, BES, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco CSS, IOS by Cisco, IOS XR Cisco, IronPort Email, IronPort Management, Cisco Router, Secure ACS, Cisco CallManager, Cisco CUCM, Cisco IP Phone, WebNS, XenApp, XenDesktop, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FortiOS, FreeBSD, HP-UX, AIX, WebSphere AS Traditional, IVE OS, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, Juniper SA, Mandriva Linux, Mandriva NF, IIS, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, NSS, NetBSD, NetScreen Firewall, ScreenOS, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Oracle Directory Server, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Trusted Solaris, ProFTPD, SSL protocol, RHEL, Slackware, Sun AS, SUSE Linux Enterprise Desktop, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 10/11/2009.
Identifiers: 1021653, 111046, 273029, 273350, 274990, 6898371, 6898539, 6898546, 6899486, 6899619, 6900117, 977377, AID-020810, BID-36935, c01945686, c01963123, c02079216, CERTA-2011-ALE-005, CERTFR-2017-AVI-392, cisco-sa-20091109-tls, CTX123248, CTX123359, CVE-2009-3555, DSA-1934-1, DSA-2141-1, DSA-2141-2, DSA-2141-4, DSA-2626-1, DSA-3253-1, FEDORA-2009-12229, FEDORA-2009-12305, FEDORA-2009-12606, FEDORA-2009-12750, FEDORA-2009-12775, FEDORA-2009-12782, FEDORA-2009-12968, FEDORA-2009-13236, FEDORA-2009-13250, FEDORA-2010-1127, FEDORA-2010-3905, FEDORA-2010-3929, FEDORA-2010-3956, FEDORA-2010-5357, FEDORA-2010-8742, FEDORA-2010-9487, FEDORA-2010-9518, FG-IR-17-137, FreeBSD-SA-09:15.ssl, HPSBUX02482, HPSBUX02498, HPSBUX02517, KB25966, MDVSA-2009:295, MDVSA-2009:323, MDVSA-2009:337, MDVSA-2010:069, MDVSA-2010:076, MDVSA-2010:076-1, MDVSA-2010:089, MDVSA-2013:019, NetBSD-SA2010-002, openSUSE-SU-2010:1025-1, openSUSE-SU-2010:1025-2, openSUSE-SU-2011:0845-1, PM04482, PM04483, PM04534, PM04544, PM06400, PSN-2011-06-290, PSN-2012-11-767, RHSA-2009:1579-02, RHSA-2009:1580-02, RHSA-2010:0011-01, RHSA-2010:0119-01, RHSA-2010:0130-01, RHSA-2010:0155-01, RHSA-2010:0162-01, RHSA-2010:0163-01, RHSA-2010:0164-01, RHSA-2010:0165-01, RHSA-2010:0166-01, RHSA-2010:0167-01, SOL10737, SSA:2009-320-01, SSA:2010-067-01, SSRT090249, SSRT090264, SSRT100058, SUSE-SA:2009:057, SUSE-SA:2010:020, SUSE-SR:2010:008, SUSE-SR:2010:012, SUSE-SR:2011:008, SUSE-SU-2011:0847-1, TLSA-2009-30, TLSA-2009-32, VIGILANCE-VUL-9181, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3, VU#120541.

Description of the vulnerability

Transport Layer Security (TLS) is a cryptographic protocol for network transport.

When opening a connection using TLS, a negotiation mechanism allows the client and server to agree on the encryption algorithm to use.

The protocol allows for renegotiation at any time during the connection. However, the handling of those renegotiations has a vulnerability.

A remote attacker can therefore exploit this vulnerability in order to insert plain text data via a man-in-the-middle attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2008-2441

Cisco Secure ACS: denial of service of RADIUS EAP

Synthesis of the vulnerability

An attacker can send a malicious RADIUS EAP packet in order to stop Cisco Secure ACS CSRadius and CSAuth.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 04/09/2008.
Identifiers: 107443, BID-30997, CERTA-2008-AVI-446, cisco-sr-20080903-csacs, CSCsq10103, CVE-2008-2441, VIGILANCE-VUL-8084.

Description of the vulnerability

The Cisco Secure ACS product implements a RADIUS server (RFC 2865) to centralize authentication.

The EAP protocol (RFC 37480) encapsulates authentication data. An EAP packet contains:
 - an operation code (Request, Response, etc.)
 - an identifier to associate responses and queries
 - the packet length
 - etc.

However, Cisco Secure ACS CSRadius and CSAuth do not correctly check the indicated length in the RADIUS EAP packet.

An attacker knowing the RADIUS shared secret can therefore send a malicious packet in order to create a denial of service and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2008-0532 CVE-2008-0533

Cisco Secure ACS: vulnerabilities of UCP

Synthesis of the vulnerability

Two vulnerabilities of Windows User-Changeable Password can be used by an attacker to execute code or create a Cross Site Scripting.
Impacted products: Secure ACS.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/03/2008.
Revision date: 13/03/2008.
Identifiers: 100519, BID-28222, CERTA-2008-AVI-133, CERTA-2008-AVI-140, cisco-sa-20080312-ucp, CSCsl49180, CSCsl49205, CVE-2008-0532, CVE-2008-0533, VIGILANCE-VUL-7664.

Description of the vulnerability

Two vulnerabilities of Windows User-Changeable Password impact Cisco Secure Access Control Server.

An attacker can use several overflows of UCP CSuserCGI.exe web interface in order to execute code. [severity:3/4; CERTA-2008-AVI-133, CERTA-2008-AVI-140, CSCsl49180, CVE-2008-0532]

An attacker can use several Cross Site Scripting of UCP CSuserCGI.exe web interface in order to execute Javascript code. [severity:2/4; CSCsl49205, CVE-2008-0533]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-2937 CVE-2006-2940 CVE-2006-3738

OpenSSL: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities have been discovered in OpenSSL, the worst one leading to code execution.
Impacted products: Arkoon FAST360, CiscoWorks, Cisco CSS, Cisco IPS, Cisco Prime Central for HCS, Secure ACS, WebNS, Debian, Fedora, FreeBSD, F-Secure AV, Tru64 UNIX, HP-UX, BIND, Mandriva Linux, Mandriva NF, Windows (platform) ~ not comprehensive, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, Slackware, TurboLinux.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 29/09/2006.
Revision date: 20/12/2007.
Identifiers: 102711, 102747, 20061001-01-P, 6476279, AK-2006-06, AK-2006-07, BID-20246, BID-20247, BID-20248, BID-20249, BID-26093, c00805100, c00849540, c00967144, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-454, CERTA-2006-AVI-521, CERTA-2007-AVI-051, CERTA-2008-AVI-141, cisco-sr-20061108-openssl, CSCek57074, CSCsg09619, CSCsg24311, CSCsg58599, CSCsg58607, CSCtx20378, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343, DSA-1185-1, DSA-1195-1, emr_na-c01203958-1, FEDORA-2006-1004, FreeBSD-SA-06:23.openssl, FSC-2006-6, HPSBTU02207, HPSBUX02174, HPSBUX02186, MDKSA-2006:172, MDKSA-2006:177, MDKSA-2006:178, NetBSD-SA2008-007, RHSA-2006:0695-01, RHSA-2008:0264-01, RHSA-2008:0525-01, SSA:2006-272-01, SSRT061213, SSRT061239, SSRT071299, SSRT071304, SUSE-SA:2006:058, SUSE-SR:2006:024, TLSA-2006-33, TLSA-2007-52, VIGILANCE-VUL-6185, VU#247744, VU#386964, VU#423396, VU#547300.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

Certain ASN.1 structures can generate an error leading to an infinite loop which will consumes system memory. This condition thus permits to generate a denial of service on the system. [severity:3/4; BID-20248, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-521, CERTA-2008-AVI-141, CVE-2006-2937, VU#247744]

Certain types of public keys encoded with ASN.1 can take an extremely long duration to be decoded. An attacker can thus use this vulnerability to generate a denial of service. [severity:3/4; BID-20247, CERTA-2007-AVI-051, CVE-2006-2940, VU#423396]

A buffer overflow in the SSL_get_shared_ciphers() function permits an attacker to run code on the system by sending a succession of malicious packets to an application using openssl. [severity:3/4; BID-20249, CVE-2006-3738, VU#547300]

An attacker can create a malicious SSLv2 server in order to generate a denial of service on connected clients. [severity:2/4; BID-20246, CVE-2006-4343, VU#386964]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 6649

Cisco: Cross Site Scripting of online help

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting attack on Cisco products with online help activated.
Impacted products: Cisco Catalyst, CiscoWorks, Secure ACS, Cisco VPN Concentrator.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/03/2007.
Identifiers: 82421, BID-22982, cisco-sr-20070315-xss, VIGILANCE-VUL-6649.

Description of the vulnerability

Online web help can be installed on several Cisco products.

The search script (PreSearch.html or PreSearch.class) of this help does not correctly filter parameters it receives.

An attacker can therefore create a Cross Site Scripting in order to execute JavaScript code in web browser of victim.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2006-4097 CVE-2006-4098 CVE-2007-0105

Cisco Secure ACS: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Cisco Secure ACS permit a network attacker to generate a denial of service or to execute code.
Impacted products: Secure ACS.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 08/01/2007.
Identifiers: 77797, 77820, BID-21900, cisco-sa-20070105-csacs, CSCeg04666, CSCeg04788, CSCsd96293, CSCse18250, CSCse18278, CVE-2006-4097, CVE-2006-4098, CVE-2007-0105, VIGILANCE-VUL-6436, VU#443108, VU#477164, VU#744249.

Description of the vulnerability

The CSAdmin service provides the web administration interface. The CSRadius service is the interface between the device and the CSAuth module. The Cisco Secure ACS product has 3 vulnerabilities in these services.

An attacker can use a malicious HTTP GET query in order to corrupt CSAdmin memory, leading to a denial of servide or to code execution. IP address of attacker has to be allowed to connect to the web server. [severity:3/4; CSCsd96293, VU#744249]

An attacker can use a malicious RADIUS Accounting-Request packet in order to corrupt CSRadius memory, leading to a denial of servide or to code execution. Attacker has to know the RADIUS shared secret key. [severity:3/4; CSCse18278, CVE-2006-4098, VU#477164]

An attacker can use a malicious RADIUS Access-Request packet in order to generate a denial of service of CSRadius. Attacker has to know the RADIUS shared secret key. [severity:3/4; CSCse18250, CVE-2006-4097, VU#443108]

An attacker can use a malicious RADIUS Access-Request packet in order to generate a denial of service of CSRadius. Attacker has to know the RADIUS shared secret key. [severity:3/4; CSCeg04788, VU#443108]

An attacker can use a malicious RADIUS Access-Request packet in order to generate a denial of service of CSRadius. Attacker has to know the RADIUS shared secret key. [severity:3/4; CSCeg04666, VU#443108]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-4339 CVE-2006-4340 CVE-2006-4790

OpenSSL / GnuTLS / NSS: bypassing a PKCS#1 signature check

Synthesis of the vulnerability

An attacker can create a malicious PKCS #1 signature which will be accepted as valid by OpenSSL, GnuTLS or NSS.
Impacted products: CiscoWorks, Cisco CSS, Cisco IPS, Cisco Prime Central for HCS, Secure ACS, WebNS, Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, BIND, Mandriva Linux, Mandriva NF, NetBSD, OpenSSL, openSUSE, Oracle Directory Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Solaris, Trusted Solaris, RHEL, Slackware, Sun AS, Sun Messaging, ASE, InterScan VirusWall, TurboLinux.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 05/09/2006.
Revisions dates: 07/09/2006, 14/09/2006, 15/09/2006.
Identifiers: 102622, 102648, 102686, 102696, 102722, 102744, 102759, 102781, 102970, 10332, 20060901-01-P, 200708, 201255, 6378707, 6466389, 6467218, 6469236, 6469538, 6472033, 6473089, 6473494, 6488248, 6499438, 6567841, 6568090, BID-19849, c00794048, c00849540, c00967144, cisco-sr-20061108-openssl, CSCek57074, CSCsg09619, CSCsg24311, CSCsg58599, CSCsg58607, CSCtx20378, CVE-2006-4339, CVE-2006-4340, CVE-2006-4790, DSA-1173-1, DSA-1174-1, DSA-1182-1, emr_na-c01070495-1, FEDORA-2006-953, FEDORA-2006-974, FEDORA-2006-979, FreeBSD-SA-06:19.openssl, HPSBTU02207, HPSBUX02165, HPSBUX02186, HPSBUX02219, MDKSA-2006:161, MDKSA-2006:166, MDKSA-2006:207, NetBSD-SA2006-023, RHSA-2006:0661, RHSA-2006:0680-01, RHSA-2008:0264-01, RHSA-2008:0525-01, RT #16460, secadv_20060905, SSA:2006-310-01, SSRT061213, SSRT061239, SSRT061266, SSRT061273, SSRT071299, SSRT071304, SUSE-SA:2006:055, SUSE-SA:2006:061, SUSE-SR:2006:023, SUSE-SR:2006:026, TLSA-2006-29, VIGILANCE-VUL-6140, VU#845620.

Description of the vulnerability

The RSA Algorithm uses the following principle:
  Cipher = Message^e (mod n)
  Cipher^d (mod n) = Message
With:
 - n is the product of two big prime numbers
 - e is the public exponent, generally 3, 17 or 65537

The PKCS #1 standard defines features and usage of RSA algorithm.

The crypto/rsa/rsa_sign.c file contains the RSA_verify() function. This function does not correctly manage long paddings. When the public exponent is small (3, or 17 if modulo uses 4096 bits), this error leads to validation of invalid signatures.

This vulnerability permits an attacker to create a malicious PKCS #1 signature which will be accepted as valid by OpenSSL, GnuTLS or NSS.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2006-3226

Cisco Secure ACS: obtaining administration port

Synthesis of the vulnerability

An attacker can guess the port number used by the administration server in order to access session just opened by administrator.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: intranet client.
Creation date: 23/06/2006.
Revision date: 26/06/2006.
Identifiers: BID-18621, CERTA-2006-AVI-264, CSCse26719, CSCse26754, CVE-2006-3226, VIGILANCE-VUL-5949.

Description of the vulnerability

The authentication page of Cisco Secure ACS listens on port 2002/tcp by default. When administrator has authenticated, he is redirected to another port. Only one client is allowed to connect to this port. Server then creates a session based on client IP address and port number.

If administrator is behind a shared proxy or translated address, an attacker with the same IP address only has to guess the port number to access administrator's session.

This attack is facilitated, because the port number is only incremented for each session.

An attacker can therefore access to session just opened by administrator.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 5931

Cisco Secure ACS: Cross Site Scripting of LogonProxy.cgi

Synthesis of the vulnerability

An attacker can use the LogonProxy.cgi script for a Cross Site Scripting attack.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 16/06/2006.
Revision date: 19/06/2006.
Identifiers: BID-18449, CSCsd50560, VIGILANCE-VUL-5931.

Description of the vulnerability

The Cisco Secure Access Control Server product centralizes user authentication.

The /CScgi/LogonProxy.cgi script can be used by an attacker for a Cross Site Scripting attack. Several parameters can be used:
 - error
 - SSL
 - Ok

This vulnerability, which only affects Unix installations, for example permits an attacker to intercept user credentials.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Secure ACS: