Cisco Secure ACS EAP响应报文解析拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1185488 漏洞类型 资源管理错误
发布时间 2008-09-03 更新时间 2008-09-03
CVE编号 CVE-2008-2441 CNNVD-ID CNNVD-200809-049
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/30997
https://cxsecurity.com/issue/WLB-2008090092
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-049
|漏洞详情
CiscoSecureACS是Cisco网络设备的中央管理平台,用于控制设备的认证和授权。CiscoSecureACS没有正确地解析EAP-Response报文的长度,扮演为RADIUS客户端的远程攻击者可以发送包含有超长长度字符的EAP响应报文导致CSRadius服务崩溃。
|漏洞EXP
Title:
------
* Cisco Secure ACS does not correctly parse the length of EAP-Response
packets which allows remote attackers to cause a denial of service and
possibly execute arbitrary code

Summary:
--------
* A remote attacker (acting as a RADIUS client) could send a specially
crafted EAP Response packet against a Cisco Secure ACS server in such a
way as to cause the CSRadius service to crash (reliable). This bug may
be triggered if the length field of an EAP-Response packet has a certain
big value, greater than the real packet length. Any EAP-Response can
trigger this bug: EAP-Response/Identity, EAP-Response/MD5,
EAP-Response/TLS...

Affected Products:
------------------
* All versions of Cisco Secure ACS that support EAP, to be more precise,
check the Cisco Advisory cisco-sr-20080903-csacs

Assigned CVE:
-------------
* CVE-2008-2441

Details:
--------
* An EAP packet is as follows:

0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |   Identifier  |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Identity...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

* For example, the following packet will trigger the vulnerability and
crash CSRadius.exe:

0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       2       |       0       |            0xdddd             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       1       |     abcd
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Attack Impact:
--------------
* Denial-of-service and possibly remote arbitrary code execution

Attack Vector:
--------------
* Have access as a RADIUS client (knowing or guessing the RADIUS shared
secret) or from an unauthenticated wireless device if the access point
relays malformed EAP frames

Timeline:
---------
* 2008-05-05 - Vulnerability reported to Cisco
* 2008-05-05 - Cisco acknowledged the notification
* 2008-05-05 - PoC sent to Cisco
* 2008-05-13 - Cisco confirmed the issue
* 2008-09-03 - Coordinated public release of advisory

Credits:
--------
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange
|受影响的产品
Cisco Secure ACS for Windows 4.1 Cisco Secure ACS 4.1(1) build 23 Cisco Secure Access Control Server 4.1 Cisco Secure Access Control Server 4.0.1 Cisco Secure Access Control Server 3.3.2
|参考资料

来源:SECTRACK
名称:1020814
链接:http://www.securitytracker.com/id?1020814
来源:BUGTRAQ
名称:20080903CiscoSecureACSEAPParsingVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/495937/100/0/threaded
来源:CISCO
名称:20080903CiscoSecurityResponse:CiscoSecureACSDenialOfServiceVulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sr-20080903-csacs.shtml
来源:SREASON
名称:4216
链接:http://securityreason.com/securityalert/4216