Vigil@nce - Cisco Secure ACS: privilege escalation
January 2015 by Marc Jacob
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can manipulate Network Identity Groups
of Cisco Secure ACS, in order to escalate his privileges.
Impacted products: Secure ACS
Severity: 2/4
Creation date: 09/01/2015
DESCRIPTION OF THE VULNERABILITY
The Cisco Secure ACS product offers a web service.
Only Network Device Administrator are allowed to manipulate
Network Identity Groups. However, an error of RBAC (Role Based
Access Control) allows all authenticated users on the web service
to perform these operations.
An authenticated attacker can therefore manipulate Network
Identity Groups of Cisco Secure ACS, in order to escalate his
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-Secure-ACS-privilege-escalation-15937