Source: cve@mitre.org
Stack-based buffer overflow in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted RADIUS Accounting-Request packet.
Cisco Secure Access Control Server (ACS) for Windows is vulnerable to a critical remote code execution (RCE) vulnerability. Exploiting a stack-based buffer overflow in the CSRadius service allows attackers to inject malicious code through crafted RADIUS Accounting-Request packets, potentially granting them full control of the server and compromising sensitive network access controls.
Step 1: Packet Crafting: The attacker crafts a malicious RADIUS Accounting-Request packet. This packet is designed to exploit the buffer overflow vulnerability.
Step 2: Payload Insertion: The attacker includes a malicious payload within a specific field of the RADIUS Accounting-Request packet. This payload will overwrite the stack.
Step 3: Packet Transmission: The attacker sends the crafted packet to the vulnerable CSRadius service.
Step 4: Vulnerability Trigger: The CSRadius service receives and processes the malicious packet. Due to the lack of bounds checking, the oversized payload overflows the allocated buffer.
Step 5: Control Hijack: The buffer overflow overwrites the return address on the stack. The return address is overwritten with the address of the attacker's injected shellcode.
Step 6: Code Execution: When the function that was processing the packet returns, it jumps to the attacker's shellcode, granting the attacker control of the server.
The vulnerability stems from a stack-based buffer overflow within the CSRadius service, specifically in how it handles RADIUS Accounting-Request packets. The service fails to properly validate the size of data within certain fields of the packet, leading to an overflow when a crafted packet with an excessively large payload is processed. This overflow overwrites adjacent memory on the stack, including the return address of a function. By carefully crafting the malicious payload, an attacker can overwrite the return address with the address of their injected shellcode, causing the service to execute the attacker's code. The root cause is a lack of bounds checking on input data, allowing an attacker to write beyond the allocated buffer on the stack.
While no specific APT groups are definitively linked to the exploitation of this specific CVE, the nature of the vulnerability (RCE) and the target (network access control) make it attractive to various threat actors. This vulnerability is not listed on the CISA KEV at this time.
Network Intrusion Detection Systems (NIDS) can be configured to detect malicious RADIUS Accounting-Request packets with unusually large fields or specific payload patterns.
Security Information and Event Management (SIEM) systems can be configured to alert on suspicious activity related to the CSRadius service, such as unexpected process creation or network connections.
Review RADIUS server logs for malformed or unusually large Accounting-Request packets.
Monitor for unauthorized changes to system files or configurations on the ACS server.
Upgrade to a patched version of Cisco Secure ACS or ACS Solution Engine (version 4.1 or later).
Implement network segmentation to isolate the ACS server from other critical network resources.
Enforce strong authentication and authorization policies for all users accessing the ACS server.
Regularly audit the ACS server configuration and logs for suspicious activity.
Implement a Web Application Firewall (WAF) in front of the ACS server to filter malicious traffic.