In association with heise online

13 March 2008, 12:38

Cisco patches holes in Secure Access Control Server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Network appliance vendor Cisco has released an update to remedy a vulnerability in its Secure Access Control Server (ACS) that allowed attackers to inject malicious code remotely. The new version also closes a cross-site scripting hole.

The ACS is based on a collection of CGI programs for Microsoft's Internet Information Server 6.0. It allows users to change their passwords via a web browser that has access to the Windows User-Changeable Password (UCP) component. Users first have to enter their current logon credentials before changes can be made.

Felix "FX" Lindner has discovered vulnerabilities in the CGI program /securecgi-bin/CSUserCGI.exe that allow attackers to inject malicious code remotely via HTTP without being logged on. The length of parameters transferred to the program is not properly checked during processing. As a result, fixed-size buffers can overflow. Furthermore, the help function does not properly filter user input, so script code can be injected, allowing cross-site scripting.

The flaws are present in Cisco Secure ACS for Windows and the Secure ACS Solution Engine (Appliance) with software versions prior to 4.2. Registered users are advised to download and install the latest version from Cisco's website as soon as possible. The company provides a link in its security advisory.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit