A critical vulnerability in the web interface for Cisco ACS enables unauthorized attackers to run commands on a server as a privileged user, according to Positive Technologies.
A critical vulnerability found in Cisco Access Control Server (ACS) allowed attackers to obtain the credentials of privileged users and run commands on a server, according to a Thursday report from Positive Technologies.
The flaw CVE-2018-0253 was found in the corporate authentication and accounting solution's web interface, Positive Technologies researchers found. It received a CVSS v3.0 score of 9.8 out of 10, indicating a "critical" degree of severity, the report noted.
A hacker already on an internal network can exploit the vulnerability to modify or collect the credentials of other users on network devices. They can also attack other resources on the internal network, or perform man-in-the-middle attacks, the report noted.
SEE: Incident response policy (Tech Pro Research)
Even more concerning is the fact that if hackers can externally access the Cisco ACS web interface, they can run these attacks from anywhere in the world, the report found.
This can obviously have catastrophic effects on any enterprise, Positive Technologies web application security specialist Mikhail Klyuchnikov said in a press release.
"If Cisco ACS is integrated with Microsoft Active Directory—which is often the case—an attacker can steal the credentials of the domain administrator," Klyuchnikov said in the release. "When Active Directory integration is absent, the attacker can still obtain control of routers and firewalls in order to intercept traffic, including sensitive data, on the entire network—or access closed-off network segments, such as bank processing systems."
Incorrect server-side handling of AMF3 messages caused the flaw, the researchers found. Attackers can place a serialized Java object into an AMF3 message, and when it is deserialized, the server will load malicious code from the source selected by the attacker, and runs it.
The following versions of Cisco ACS were affected: Cisco ACS prior to v126.96.36.199.7 (no authorization required), and Cisco ACS v188.8.131.52.7 with v184.108.40.206.8 (authorization required).
This isn't the system's first flaw found this year: In March, researchers found that another Java deserialization bug in ACS and a hardcoded SSH password in Cisco's Prime Collaboration Provisioning software could both be exploited to gain root access. Cisco patched those flaws as well.
To fix the latest flaw, Cisco advises updating servers to version 220.127.116.11.9 or later.
The big takeaways for tech leaders:
- A critical vulnerability found in Cisco Access Control Server allows attackers to obtain the credentials of privileged users and run commands on a server.
- Affected users should update their servers to version 18.104.22.168.9 or later immediately.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Cisco: You need to patch our security devices again for dangerous ASA VPN bug (ZDNet)
- 6 important security takeaways from applying Spectre and Meltdown patches (TechRepublic)
- Cisco Secure ACS 3.0 for Windows (CNET)
- Cisco VPN Client Fix for Windows 8.1 and 10 (Download.com)