8/31/2004 -- Cisco Systems Inc. last week patched vulnerabilities affecting its Secure Access Control Server (ACS) and IOS operating environment.

First, last Wednesday, disclosed the existence of four vulnerabilities in ACS. Attackers can exploit at least two of the vulnerabilities to launch denial-of-service attacks against Ciscos ACS. The first flaw is in ACS Web-based CSAdmin interface, which listens by default on TCP port 2002. An attacker could flood this port with TCP connections, causing the ACS Windows and ACS Solution Engine to stop responding to new TCP connections destined for port 2002. In addition, Cisco warns, ACS services that process authentication-related requests may become unstable and stop responding. In this case, the company acknowledges, users must reboot ACS to restore these services.

The second flaw concerns the way ACS processes Light Extensible Authentication Protocol (LEAP) RADIUS Proxy authentication requests. In some cases i.e., if LEAP authentication requests forwarded to a secondary RADIUS server -- the ACS device with LEAP RADIUS proxy configured may crash. Once again, a reboot is required to restore operation.

The third flaw is associated with ACS support for external databases such as, in this case, Novell Directory Services (NDS). If an anonymous bind in NDS is allowed, and if the ACS Solution Engine is authenticating NDS users with NDS as the external database and not Generic LDAP, then users are able to authenticate with blank passwords against that NDS database. However, wrong passwords and incorrect usernames are properly rejected, Cisco said in a security bulletin posted to its Web site, here.

The fourth flaw is an IP spoofing vulnerability that could allow an attacker to gain control of ACS without ever authenticating if he or she spoofs the IP address of a user that has already successfully authenticated, that is. If an attacker spoofs the IP address of the user computer, and accesses the ACS GUI on this random port, then the attacker may be able to connect to the ACS GUI, bypassing authentication, the security bulletin said. Authentication to the ACS server may also be bypassed if the attacker is behind the same PAT device as that of the ACS user and accesses the ACS GUI on this random port.

Elsewhere, Cisco disclosed that a specifically crafted TCP connection to a TELNET or reverse TELNET port of a Cisco device running IOS may block further telnet, reverse telnet, RSH, SSH, and in some cases HTTP access to that device. The vulnerability affects all Cisco devices that run IOS and support either TELNET or reverse TELNET.

A software patch is forthcoming, and in the interim, Cisco provided several workarounds including configuring a VTY Access Class, configuring ACLs, configuring Infrastructure ACLs, and configuring Receive ACLs -- on its Web site (click here). -Stephen Swoyer