Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet. NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute.
Cisco Secure Access Control Server (ACS) is vulnerable to multiple denial-of-service (DoS) attacks due to flaws in its RADIUS service, potentially allowing remote attackers to crash the server. These vulnerabilities, including a heap-based buffer overflow, can be triggered by sending crafted RADIUS packets, disrupting authentication and network access. Successful exploitation can lead to significant service outages and impact network availability.
Step 1: Packet Crafting: An attacker crafts a malicious RADIUS Access-Request packet. This packet is designed to exploit vulnerabilities within the Cisco ACS service. Step 2: Attribute Manipulation: The crafted packet includes specific RADIUS attributes, such as the Tunnel-Password attribute, with carefully chosen values. In the case of the heap-based buffer overflow, the Tunnel-Password attribute contains a value that exceeds the allocated buffer size. Step 3: Packet Transmission: The attacker sends the crafted RADIUS packet to the Cisco ACS server, typically over UDP port 1812 or 1645. Step 4: Vulnerability Trigger: The Cisco ACS service receives the malicious packet and attempts to process it. Due to the lack of proper input validation, the service copies the oversized Tunnel-Password attribute value into a buffer on the heap. Step 5: Buffer Overflow/Other Vulnerabilities: The oversized data overwrites adjacent memory locations, corrupting data structures or code. Other vulnerabilities could be triggered by other crafted attributes. Step 6: Service Crash: When the service attempts to use the corrupted data, it crashes, resulting in a denial-of-service condition. This can prevent legitimate users from authenticating and accessing network resources.
The root cause lies in the Cisco ACS's handling of RADIUS Access-Request packets. Specifically, the vulnerability stems from inadequate input validation and bounds checking when processing attributes within these packets. The heap-based buffer overflow, reported to involve the Tunnel-Password attribute, suggests that the software allocates a buffer on the heap to store the attribute's value, but fails to properly validate the length of the incoming data. An attacker can craft a malicious RADIUS packet containing a Tunnel-Password attribute with an excessively long value, overflowing the allocated buffer. This overwrite corrupts adjacent memory, leading to a crash when the service attempts to access or use the corrupted data. Other unspecified vulnerabilities likely involve similar flaws in processing other RADIUS attributes or packet structures, leading to memory corruption or other unexpected behavior.