Cisco Systems has released software updates for its Cisco Secure Access Control System (ACS) in order to patch three vulnerabilities that could give remote attackers administrative access to the platform and allow them to execute OS-level commands without authorization.
Cisco ACS is a server appliance that enforces access control policies for both wireless and wired network clients. It's managed through a Web-based user interface and supports the RADIUS (Remote Access Dial In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Versions of the Cisco Secure ACS software older than 5.5 contain two vulnerabilities in the RMI (Remote Method Invocation) interface that's used for communication between different ACS deployments and listens on TCP ports 2020 and 2030.
One of the vulnerabilities, identified as CVE-2014-0648, stems from insufficient authentication and authorization enforcement and allows remote unauthenticated attackers to perform administrative actions on the system through the RMI interface.
The other vulnerability, identified as CVE-2014-0649, allows remote attackers with access to restricted user accounts to escalate their privileges and perform superadmin functions via the RMI interface.
A third vulnerability, tracked as CVE-2014-0650, was discovered in the system's Web-based interface and is the result of insufficient input validation. An unauthenticated remote attacker can exploit this vulnerability to inject and execute OS-level commands without shell access, Cisco said in a security advisory. This vulnerability affects Cisco Secure ACS software older than 5.4 patch 3.
There are no configuration workarounds available to mitigate these vulnerabilities, so updating the software to the new versions released by Cisco is recommended.
"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory," the company said.