-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0136

Title: Cisco Secure Access Control System TACACS+ Authentication Bypass Vulnerability [1]

Version history:
22.11.2012 Initial publication

Summary
=======
Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass TACACS+ based authentication service offered by the affected product.

CVE-2012-5424
CVSS Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Vulnerable systems
==================
The following Cisco Secure ACS versions are affected by this vulnerability:

   Cisco Secure ACS Version    Affected
   ========================    ========
   5.0                         Yes
   5.1                         Yes
   5.2                         Yes
   5.3                         Yes
   5.4                         No

The previous list applies to both the hardware appliance and the software-only versions of the product.
The advisory [1] describes the methods that can be used to determine which version of the Cisco Secure ACS is installed.


Original Details
================
Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass TACACS+ based authentication service offered by the affected product. The vulnerability is due to improper validation of the user-supplied password when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

An attacker may exploit this vulnerability by sending a special sequence of characters when prompted for the user password. The attacker would need to know a valid username stored in the LDAP external identity store to exploit this vulnerability, and the exploitation is limited to impersonate only that user. An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. 

Successful exploitation of this vulnerability could allow a remote attacker impersonate a user and bypass the authentication to any system that uses TACACS+ and relies on the authentication service provided by an affected Cisco Secure ACS.


What can you do?
================
The following table provides software upgrade information to mitigate the vulnerability described in this security advisory:

   Cisco Secure ACS Version   Fixed Release
   ========================   =============
   5.0                        Migrate to 5.2 Patch 11
   5.1                        Migrate to 5.2 Patch 11
   5.2                        5.2 Patch 11
   5.3                        5.3 Patch 7

When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. 

Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.


What to tell your users?
========================
N/A

More information
================
[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121107-acs
[2] http://www.cisco.com/go/psirt
[3] http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
[4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5424
[5] Information about CVSS: http://www.first.org/cvss/cvss-guide.html


Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJQrgeVAAoJEPpzpNLI8SVo9NkP/06p0xFkW16gV++L92Ftw/cV
OvEKMsYGOpdSPHkZE51pNB9ycDRSn8OAJjn9UHdzvEE7ySjK0FvMvTXxP888U7S3
EZDyPaxMiVEJafiJ2H3IjPuhv4h4ZcSLkFm+MD+zH/5TsqAxqyW6HWFRzIJveW2X
3ESsyHE7UGu1f3zPRcPRAtiDSCpgAmHMHHumAmP0SV3vSnBTG8Gi6S515NmRE3OM
X4CLWs5D1J06YbwHAJsOA0Gr8bFacvFugM3Rogx8B8FGlsYHqZL8cVpt8qJvulqO
nl8WB3+qBRgJm5DgMRCREM16atK7q8HzYWD3PO8Cc0YfkOY0rc3mGVQFwyl9tjoq
lPWg3bAT7eOBGDoBGAJWOqEWC+55r6F3LIKjfi5u/IHEN7fSjgjtKQ5ra+LqLYzw
2KJ8XYMMhyCUE6ZSODBz6BjBxZN+k/0eqzAnuzsxZpmvZjqMv6IFY4brUxeXuhz5
1fogB1iYtc769EThQknM8tq5Yxjj/lGo7LFUYY+nKgAHFs2ypWn3jbh0I1AqZbT8
ljxfdai9LMCpUjUavdmZm4xqPdnEgGOnOaA/iNqWHY+wWXzKMGOplq7moy80pmR7
09VNMN2Hw1xmwPoZGoOzXVOZRZ+ndvug4B1Poo3x1UAuixVCW2MU/xW+/Xst3vAX
mPfOp5ztl2VieUmqmO2B
=QKux
-----END PGP SIGNATURE-----