Networking equipment maker Cisco Systems has warned
customers about security holes in two products that provide user
authentication and authorisation services for network devices such
as firewalls and routers.
The company issued a security advisory identifying "multiple
denial-of-service (DoS) and authentication related vulnerabilities"
in two products: the Cisco Secure Access Control Server for Windows
(Windows ACS) and Cisco Secure Access Control Server Solution
Engine (Secure ACS).
The vulnerabilities could allow attackers or malicious users to
crash the ACS products or gain unauthorised access to network
devices, Cisco said.
ACS products centralise user identity management for other Cisco
products and management applications, allowing administrators to
manage and enforce access policies that control who can log into
the network.
Cisco found that both the Secure ACS and ACS Windows products
stopped responding to new TCP (Transmission Control Protocol)
connections after being flooded with TCP connections on port 2002.
The denial-of-service condition hampered the ACS devices' ability
to process authentication requests and required the ACS devices to
be rebooted to restore authentication services.
In other instances, Cisco found that, under certain
circumstances, attackers that faked (or "spoofed") the network
address of a computer that is accessing the ACS administrative user
interface could access that interface without being asked to log in
first.
Cisco released product upgrades for ACS Windows version 3.2 and
3.3 and for the ACS Solution Engine.
The company recommended that customers with service contracts
obtain the updates using the Cisco Product Upgrade Tool or by
contacting the companies' Technical Assistance Centre.
Paul Roberts writes for IDG News Service