Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: Cisco Secure ACS, denial of service of RADIUS EAP

September 2008 by Vigil@nce


An attacker can send a malicious RADIUS EAP packet in order to stop Cisco Secure ACS CSRadius and CSAuth.

Gravity: 2/4

Consequences: denial of service of service

Provenance: intranet client

Means of attack: 1 proof of concept

Ability of attacker: specialist (3/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 04/09/2008

Identifier: VIGILANCE-VUL-8084


- Cisco Secure Access Control Server


The Cisco Secure ACS product implements a RADIUS server (RFC 2865) to centralize authentication.

The EAP protocol (RFC 37480) encapsulates authentication data. An EAP packet contains:

- an operation code (Request, Response, etc.)
- an identifier to associate responses and queries
- the packet length
- etc.

However, Cisco Secure ACS CSRadius and CSAuth do not correctly check the indicated length in the RADIUS EAP packet.

An attacker knowing the RADIUS shared secret can therefore send a malicious packet in order to create a denial of service and eventually to execute code.


Identifiers: 107443, BID-30997, cisco-sr-20080903-csacs, CSCsq10103, CVE-2008-2441, VIGILANCE-VUL-8084

See previous articles


See next articles