-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-004 Title: Multiple Vulnerabilities in Cisco Secure Access Control System [1] Version history: 22.01.2014 Initial publication Summary ======= Cisco Secure Access Control System (ACS) is affected by the following vulnerabilities: Cisco Secure ACS RMI Privilege Escalation Vulernability Cisco Secure ACS RMI Unauthenticated User Access Vulnerability Cisco Secure ACS Operating System Command Injection Vulnerability Cisco Secure ACS uses the Remote Method Invocation (RMI) interface for internode communication using TCP ports 2020 and 2030. These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other. Vulnerability scoring according to CVSS:[2] CVE-2014-0649 CVSS v2 Base Score:8.5 CVE-2014-0648 CVSS v2 Base Score:7.6 CVE-2014-0650 CVSS v2 Base Score:8.5 Vulnerable systems ================== All releases of Cisco Secure ACS prior to release 5.5 are affected by the RMI-based vulnerabilities in this advisory. All releases of Cisco Secure ACS prior to ACS 5.4 patch 3 are affected by the OS command injection vulnerability in this advisory. Original Details ================ Follow it in the original advisory from the provider.[1] What can you do? ================ There is a patch. [1] What to tell your users? ======================== N/A More information ================ [1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs [2] http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2 Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJS39BHAAoJEPpzpNLI8SVox5sP/ijDADnFR8fy+VxVDEapj8Bn HNhUH8qPDd9Yo1zlxf57ivPSEq8byM5nDSlkzl/jZKFoIo5WWc2ZK5WYDnc9I7od D7z5V1rY2g7UMs26iu5DlNcpp015cHiXd0Q926AwXfxD7cVTkYObnD6GJ1qWeyti kHzllUebs4+LHtOMIhthZ2/zGBoqLUnNsCJIaxzKMkgG3e/KrBgbDealz7uyZwg7 wAXyyxXWIaeh/kpAtkC4m0AVWY5IpAc+4MTIlkkjvLbxxUXs1wTGrFw27W7VYcaH 3cmBdtirvj7KjMm4fGEY149RCd/c7dVUKgt8ut/QHxyX8iflQ6/HrGs4aJYj9jK2 VeS64dsU+whzZxqPYnx3enoYdYUiCCpb4eJu/ixEIEpkylTej4InVPb+qhXUCBeW h9yFaPeqn7RWWtb5fTD6jL7Nbjw5pvvxWVXPXF/dM8po7QaUTmzCSoUr2xWYsMIz D00xqH4O69wsy30W++P3iPZzFMmlrOXwLWILMUKSeaAvdyEJBS8L2vxqXHuSDzSm 9WcXF2xPf099Q2qsij0ZdxAMZ2mcd7Ax7xCnXiWmbPcx3aHfR8YIFW16UpPuKPZR aTTTzqTOf55nj4PfosROyaKGnNfHEJh/2S9Zj8kmIidgm6HbRONLnj7ZZMwUQPph k/eiTXTr+lK3ytKmVxY6 =glw6 -----END PGP SIGNATURE-----