Cisco patches holes in Secure Access Control Server
Network appliance vendor Cisco has released an update to remedy a vulnerability in its Secure Access Control Server (ACS) that allowed attackers to inject malicious code remotely. The new version also closes a cross-site scripting hole.
The ACS is based on a collection of CGI programs for Microsoft's Internet Information Server 6.0. It allows users to change their passwords via a web browser that has access to the Windows User-Changeable Password (UCP) component. Users first have to enter their current logon credentials before changes can be made.
Felix "FX" Lindner has discovered vulnerabilities in the CGI program /securecgi-bin/CSUserCGI.exe that allow attackers to inject malicious code remotely via HTTP without being logged on. The length of parameters transferred to the program is not properly checked during processing. As a result, fixed-size buffers can overflow. Furthermore, the help function does not properly filter user input, so script code can be injected, allowing cross-site scripting.
The flaws are present in Cisco Secure ACS for Windows and the Secure ACS Solution Engine (Appliance) with software versions prior to 4.2. Registered users are advised to download and install the latest version from Cisco's website as soon as possible. The company provides a link in its security advisory.
- Security advisory by Felix "FX" Lindner
- Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities, security advisory by Cisco