Vigil@nce: Cisco Secure ACS, denial of service of RADIUS EAP
September 2008 by Vigil@nce
SYNTHESIS
An attacker can send a malicious RADIUS EAP packet in order to
stop Cisco Secure ACS CSRadius and CSAuth.
Gravity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/09/2008
Identifier: VIGILANCE-VUL-8084
IMPACTED PRODUCTS
– Cisco Secure Access Control Server
DESCRIPTION
The Cisco Secure ACS product implements a RADIUS server (RFC 2865)
to centralize authentication.
The EAP protocol (RFC 37480) encapsulates authentication data. An
EAP packet contains:
– an operation code (Request, Response, etc.)
– an identifier to associate responses and queries
– the packet length
– etc.
However, Cisco Secure ACS CSRadius and CSAuth do not correctly
check the indicated length in the RADIUS EAP packet.
An attacker knowing the RADIUS shared secret can therefore send a
malicious packet in order to create a denial of service and
eventually to execute code.
CHARACTERISTICS
Identifiers: 107443, BID-30997, cisco-sr-20080903-csacs,
CSCsq10103, CVE-2008-2441, VIGILANCE-VUL-8084