Vigil@nce: Cisco Secure ACS, denial of service of RADIUS EAP
September 2008 by Vigil@nce
An attacker can send a malicious RADIUS EAP packet in order to stop Cisco Secure ACS CSRadius and CSAuth.
Consequences: denial of service of service
Provenance: intranet client
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/09/2008
Cisco Secure Access Control Server
The Cisco Secure ACS product implements a RADIUS server (RFC 2865) to centralize authentication.
The EAP protocol (RFC 37480) encapsulates authentication data. An EAP packet contains:
an operation code (Request, Response, etc.)
an identifier to associate responses and queries
the packet length
However, Cisco Secure ACS CSRadius and CSAuth do not correctly check the indicated length in the RADIUS EAP packet.
An attacker knowing the RADIUS shared secret can therefore send a malicious packet in order to create a denial of service and eventually to execute code.
Identifiers: 107443, BID-30997, cisco-sr-20080903-csacs, CSCsq10103, CVE-2008-2441, VIGILANCE-VUL-8084