AV:R/AC:H/Au:NR/C:P/I:P/A:P/B:N/E:F/RL:O/RC:C
-
Cisco Security Agent Management Center (CSAMC) contains an administrator authentication bypass vulnerability when configured to use an external Lightweight Directory Access Protocol (LDAP) server for authentication.
There is a workaround for this vulnerability. Cisco has made free software available to address this vulnerability for affected customers.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20061101-csamc.
-
This section provides details on affected products.
-
Cisco Security Agent Management Center (CSAMC) version 5.1 contains an administrator authentication bypass vulnerability when configured to authenticate administrators against an external LDAP server.
There are three roles for CSAMC administrators: configure, deploy, and monitor. The configure role has complete access to the CSAMC application, including the ability to create security policies. The deploy role can create agent kits, deploy security policies, and perform application monitoring. The deploy role cannot modify security policies. The monitoring role can only perform application monitoring functions.
All CSAMC administrator accounts are defined in the local CSAMC database and have an assigned role. CSAMC can be configured to use an external LDAP server to authenticate administrators. As a safety feature, it is possible to specify certain administrator accounts to fall back to local authentication if the LDAP server is unavailable.
If CSAMC is configured to use LDAP for authentication, it is possible to supply a valid administrator username and blank (zero length) password and gain administrative access to the CSAMC application with the role privileges of the administrator. This vulnerability occurs when CSAMC incorrectly handles an authentication failure message from the LDAP server. The administrator password stored on the LDAP server is a valid, non-blank password.
CSAMC version 5.1 is the first to include external LDAP authentication. LDAP authentication is not the default configuration for CSAMC and must be explicitly configured. The LDAP server in this configuration is not built into CSAMC.
Information on configuring administrator LDAP authentication for CSAMC can be found here:
Information on configuring role-based administration for CSAMC can be found here:
This vulnerability is documented in Cisco Bug ID CSCsg40822 ( registered customers only) .
-
It is possible to workaround this vulnerability by disabling external LDAP authentication and configuring administrators to authenticate against the local CSAMC database.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following URL:
http://www.cisco.com/warp/public/620/1.html
Fixed CSAMC (fcs-csamc-hotfix-5.1.0.79-w2k-k9.zip) software can be downloaded at http://www.cisco.com/pcgi-bin/tablebuild.pl/csahf-crypto?psrtdcat20e2.
Affected Software Version
Fixed Software Version
CSAMC version 5.1 Hotfix prior to 5.1.0.79
CSAMC version 5.1 Hotfix 5.1.0.79
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a third party.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2006-November-01
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.