HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2008-48
Cisco Network Admission Control Shared Secret Disclosure Vulnerability

Original Issue Date: April 29, 2008

Severity Rating: High

System Affected

  • NAC Appliance software versions 3.5.13 and prior
  • NAC Appliance software versions prior to 3.6.4.4
  • NAC Appliance software versions prior to 4.0.6
  • NAC Appliance software versions prior to 4.1.2

Overview

A Vulnerability has been reported in Cisco Network Admission Control (NAC) Appliance that could allow an unauthenticated, remote attacker to completely compromise the Cisco Clean Access Server ( CAS ).

Description

Cisco NAC Appliance is a network-centric integrated solution administered from the Clean Access Manager web console and enforced through the Clean Access Server and (optionally) the Clean Access Agent/Cisco NAC Web Agent. Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches and antivirus software, and quarantines vulnerable or infected clients for remediation before clients access the network.

The Cisco NAC Appliance uses a shared secret for communication between the Cisco Clean Access Server ( CAS ) and the Cisco Clean Access Manager ( CAM ).  Using unspecified methods, an attacker could obtain this shared secret because the NAC Appliance may include the shared secret in error logs.  An exploit could allow the attacker to take full control over the Clean Access Server ( CAS ).

Solution

Apply appropriate software updates as mentioned in the Cisco Security Advisory:
cisco-sa-20080416-nac

Vendor Information

Cisco
http://www.cisco.com/warp/public/707/cisco-sa-20080416-
nac.shtml
http://tools.cisco.com/security/center/viewAlert.x?
alertId= 15666

References

Security Focus
http://www.securityfocus.com/bid/28807/

FrSIRT
http://www.frsirt.com/english/advisories/2008/1248

Security Tracker
http://securitytracker.com/alerts/2008/Apr/1019859.html

Secunia
http://secunia.com/advisories/29822

ISS
http://xforce.iss.net/xforce/xfdb/41849

AusCERT
http://www.auscert.org.au/render.html?it=9136

CVE Name
CVE-2008-1155

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003