Source: cve@mitre.org
Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet. NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute.
Cisco Secure Access Control Server (ACS) is vulnerable to multiple denial-of-service (DoS) attacks, and potentially remote code execution, due to flaws in its RADIUS processing. Attackers can craft malicious RADIUS packets to crash the CSRadius service, disrupting network authentication and potentially leading to unauthorized access. This vulnerability, affecting versions prior to 4.1, poses a significant risk to organizations relying on Cisco ACS for network security.
Step 1: Packet Crafting: The attacker crafts a malicious RADIUS Access-Request packet. This packet includes specific attributes, including a potentially oversized Tunnel-Password attribute, designed to trigger the vulnerability.
Step 2: Packet Transmission: The attacker sends the crafted RADIUS packet to the vulnerable Cisco ACS server, specifically targeting the CSRadius service.
Step 3: Packet Reception and Parsing: The CSRadius service receives and parses the malicious RADIUS packet.
Step 4: Attribute Processing: The service attempts to process the Tunnel-Password attribute (or other vulnerable attributes).
Step 5: Buffer Overflow Trigger: Due to insufficient bounds checking, the service copies the oversized Tunnel-Password value into a fixed-size buffer on the heap, causing a heap-based buffer overflow.
Step 6: Memory Corruption: The buffer overflow overwrites adjacent memory, corrupting data structures and potentially overwriting critical code.
Step 7: Service Crash: The corrupted memory leads to a crash of the CSRadius service, resulting in a denial of service.
The vulnerability stems from multiple unspecified flaws within the CSRadius service's handling of RADIUS Access-Request packets. One confirmed issue is a heap-based buffer overflow related to the Tunnel-Password attribute. The service likely fails to properly validate the size of this attribute before copying it into a fixed-size buffer on the heap. This allows an attacker to send a crafted packet with an excessively long Tunnel-Password value, overwriting adjacent memory and potentially corrupting critical data structures. This leads to a crash, resulting in a denial of service. The unspecified vulnerabilities likely involve similar flaws in other RADIUS attribute handling, leading to crashes or potentially more severe consequences like remote code execution. The root cause is a lack of input validation and bounds checking on data received from untrusted sources (RADIUS packets).
While no specific APT groups are directly linked to this CVE, the age and nature of the vulnerability make it a potential target for various actors. It's a classic vulnerability that could be exploited by anyone with basic skills. CISA KEV status is not applicable as the vulnerability is not listed.
Monitor network traffic for unusual RADIUS Access-Request packets, especially those with unusually large attribute values, particularly the Tunnel-Password attribute.
Analyze RADIUS server logs for error messages, crashes, or unexpected service restarts related to the CSRadius service.
Implement intrusion detection systems (IDS) or intrusion prevention systems (IPS) with signatures specifically designed to detect malicious RADIUS packets.
Monitor system logs for memory corruption errors or segmentation faults related to the CSRadius process.
Use network traffic analysis tools to identify the source IP addresses of malicious RADIUS packets.
Upgrade to Cisco Secure Access Control Server (ACS) version 4.1 or later. This is the primary and most effective remediation.
Implement strong input validation on all RADIUS attributes, including length checks and data type validation.
Apply the principle of least privilege to the CSRadius service, restricting its access to only the necessary resources.
Segment the network to isolate the ACS server from other critical systems.
Regularly audit the RADIUS server configuration for any misconfigurations or vulnerabilities.
Implement a robust patch management process to ensure that all security updates are applied promptly.