There is a critical remotely exploitable vulnerability in Cisco’s Secure Access Control Server which allows a remote attacker to take complete control of a vulnerable server.
This new bug is the result of a bad implementation of the EAP-FAST protocol and it affects a number of versions of the Cisco ACS.
The vulnerability is a highly critical one, as an attacker needs no authentication and can take over control of the machine running the server. Cisco officials said the flaw only exists when the ACS server ends up configured as a RADIUS server. The company issued a patch for the vulnerability. There are no workarounds to implement before the patch rolls out.
“The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server,” the Cisco advisory said.
“Commands are executed in the context of the System user for Cisco Secure ACS authentication service running on Microsoft Windows. Cisco Secure ACS uses the standard RADIUS UDP port 1812 or 1645 for EAP-FAST authentication.”
The vulnerability affects versions 4.0 through 220.127.116.11 of the Cisco ACS server and the patch is in version 18.104.22.168.11. Cisco officials said they’re not aware of any public exploitation of the vulnerability yet.