Cisco patched the vulnerability in Cisco Secure Access Control Server (ACS) that a remote attacker could end up executing arbitrary commands and take complete control of the affected server.
“The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server,” Cisco said in its advisory.
The affected versions are Cisco Secure Access Control Server 4.0 through 220.127.116.11.
There are no known workarounds for this security hole. Users of affected ACS versions should install version 18.104.22.168.11, which addresses the vulnerability.
Before deploying the update, customers should check the software for feature set compatibility and known issues specific to their environments.