CVE-2006-0561
CVSS7.2
发布时间 :2006-05-09 22:14:00
修订时间 :2011-03-07 21:30:17
NMCOPS    

[原文]Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS administrator passwords and the master key in the registry with insecure permissions, which allows local users and remote administrators to decrypt the passwords by using Microsoft's cryptographic API functions to obtain the plaintext version of the master key.


[CNNVD]Cisco Secure ACS不安全口令 信息泄露漏洞(CNNVD-200605-133)

        Cisco Secure ACS是Cisco网络设备的中央管理平台,用于控制设备的认证和授权。
        Cisco Secure ACS对口令的存储处理上存在漏洞,本地或远程攻击者可能通过注册表轻易获取口令信息从而获取设备的非授权访问。
        Cisco Secure ACS 3.x for Windows将管理用户的口令存储在注册表中。这些口令是通过Crypto API Microsoft Base Cryptographic Provider v1.0加密的。除了口令以外,ACS还储存了用于加密信息的密钥。但是,Windows管理员可以轻易的获得这些信息;如果允许远程访问注册表的话,还可以通过网络获得这些信息。这样攻击者就可以使用所提供的密钥解密注册表中的信息,恢复明文口令,最终可以访问所有ACS服务器所控制的Cisco设备。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cisco:secure_access_control_server:3.3::windows_nt
cpe:/a:cisco:secure_access_control_server:3.2::windows_nt
cpe:/a:cisco:secure_access_control_server:3.2::windows_server
cpe:/a:cisco:secure_access_control_server:3.1::windows_nt
cpe:/a:cisco:secure_access_control_server:3.0::windows_nt
cpe:/a:cisco:secure_access_control_server:3.0.3::windows_nt
cpe:/a:cisco:secure_access_control_server:3.0.1::windows_nt
cpe:/a:cisco:secure_access_control_server:3.1.1::windows_nt

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0561
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0561
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-133
(官方数据源) CNNVD

- 其它链接及资源

http://www.symantec.com/enterprise/research/SYMSA-2006-003.txt
(VENDOR_ADVISORY)  MISC  http://www.symantec.com/enterprise/research/SYMSA-2006-003.txt
http://www.securityfocus.com/bid/16743
(PATCH)  BID  16743
http://www.securityfocus.com/archive/1/433301/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060508 Re: SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure
http://www.cisco.com/warp/public/707/cisco-sr-20060508-acs.shtml
(PATCH)  CISCO  20060508 Response to Symantec SYMSA-2006-003 Cisco Secure ACS for Windows - Administrator Password Disclosure
http://securitytracker.com/id?1016042
(PATCH)  SECTRACK  1016042
http://www.vupen.com/english/advisories/2006/1741
(UNKNOWN)  VUPEN  ADV-2006-1741
http://www.securityfocus.com/archive/1/433286/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060508 SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure
http://xforce.iss.net/xforce/xfdb/26307
(UNKNOWN)  XF  cisco-acs-admin-password-disclosure(26307)
http://www.osvdb.org/25892
(UNKNOWN)  OSVDB  25892

- 漏洞信息

Cisco Secure ACS不安全口令 信息泄露漏洞
高危 设计错误
2006-05-09 00:00:00 2006-05-10 00:00:00
远程※本地  
        Cisco Secure ACS是Cisco网络设备的中央管理平台,用于控制设备的认证和授权。
        Cisco Secure ACS对口令的存储处理上存在漏洞,本地或远程攻击者可能通过注册表轻易获取口令信息从而获取设备的非授权访问。
        Cisco Secure ACS 3.x for Windows将管理用户的口令存储在注册表中。这些口令是通过Crypto API Microsoft Base Cryptographic Provider v1.0加密的。除了口令以外,ACS还储存了用于加密信息的密钥。但是,Windows管理员可以轻易的获得这些信息;如果允许远程访问注册表的话,还可以通过网络获得这些信息。这样攻击者就可以使用所提供的密钥解密注册表中的信息,恢复明文口令,最终可以访问所有ACS服务器所控制的Cisco设备。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.cisco.com/warp/public/707/advisory.html

- 漏洞信息 (F46315)

SYMSA-2006-003.txt (PacketStormID:F46315)
2006-05-17 00:00:00
Andreas Junestam  symantec.com
advisory,crypto,registry
cisco,windows
CVE-2006-0561
[点击下载]

Symantec Vulnerability Research SYMSA-2006-003 - Cisco Secure ACS 3.x for Windows stores passwords for administrative users in the registry. The passwords are encrypted using the Crypto API Microsoft Base Cryptographic Provider version 1.0. Along with the passwords, ACS also stores the key used to encrypt the information.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




                    Symantec Vulnerability Research                                   
                    https://www.symantec.com/research
                          Security Advisory

Advisory ID   : SYMSA-2006-003
Advisory Title: Cisco Secure ACS for Windows - Administrator 
                Password Disclosure
Author        : Andreas Junestam
Release Date  : 05-08-2006
Application   : Cisco Secure ACS 3.x for Windows
Platform      : Microsoft Windows
Severity      : System access / exploit available 
Vendor status : Vendor verified, workaround available
CVE Number    : CVE-2006-0561
Reference     : http://www.securityfocus.com/bid/16743


Overview: 

	Cisco Secure ACS is a central administration platform for 
	Cisco network devices. It controls authentication and 
	authorization for enrolled devices. Administrative 
	passwords for locally-defined users are stored in such a 
	way they can be obtained from the Windows registry. If 
	remote registry access is enabled, this can be done over 
	the network.

	If Cisco Secure ACS is configured to use an external 
	authentication service such as Windows Active Directory or
	LDAP, the passwords for users stored by those services are
	not vulnerable to this issue.


Details: 

	Cisco Secure ACS 3.x for Windows stores passwords for 
	administrative users in the registry. The passwords are 
	encrypted using the Crypto API Microsoft Base Cryptographic 
	Provider v1.0. Along with the passwords, ACS also stores 
	the key used to encrypt the information. This information 
	can easily be obtained locally by a Windows administrator, 
	and if remote registry access is enabled, it can be 
	obtained over the network. With this, the clear-text 
	passwords can be recovered by decrypting the information 
	in the registry with the supplied key. Access to these 
	passwords provides access to all Cisco devices controlled 
	by the ACS server.


Vendor Response:


	Cisco Secure ACS 3.x for Windows stores the passwords of 
	ACS administrators in the Windows registry in an encrypted 
	format. A locally generated master key is used to 
	encrypt/decrypt the ACS administrator passwords. The master
	key is also stored in the Windows registry in an encrypted 
	format. Using Microsoft cryptographic routines, it is 
	possible for a user with administrative privileges to a 
	system running Cisco Secure ACS to obtain the clear-text 
	version of the master key. With the master key, the user 
	can decrypt and obtain the clear-text passwords for all 
	ACS administrators. With administrative credentials to 
	Cisco Secure ACS, it is possible to change the password 
	for any locally defined users. This may be used to gain 
	access to network devices configured to use Cisco Secure 
	ACS for authentication.

	If remote registry access is enabled on a system running 
	Cisco Secure ACS, it is possible for a user with
	administrative privileges (typically domain administrators) 
	to exploit this vulnerability.

	If Cisco Secure ACS is configured to use an external 
	authentication service such as Windows Active Directory / 
	Domains or LDAP, the passwords for users stored by those 
	services are not at risk to compromise via this 
	vulnerability.

	This vulnerability only affects version 3.x of Cisco Secure 
	ACS for Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco 
	Secure ACS for UNIX are not vulnerable. Cisco Secure ACS 3.x 
	appliances do not permit local or remote Windows registry 
	access and are not vulnerable.
     
Workaround:

	It is possible to mitigate this vulnerability by 
	restricting access to the registry key containing the 
	ACS administrators' passwords. One feature of Windows 
	operating systems is the ability to modify the permissions 
	of a registry key to remove access even for local or 
	domain administrators. Using this feature, the registry 
	key containing the ACS administrators' passwords can be 
	restricted to only the Windows users with a need to 
	maintain the ACS installation or operate the ACS services.

	The following registry key and all of its sub-keys need to 
	be protected.

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators

	Note: The "CiscoAAAv3.3" portion of the registry key path
	may differ slightly depending on the version of Cisco Secure
	ACS for Windows that is installed.

	There are two general deployment scenarios for Cisco Secure
	ACS. The Windows users that need permissions to the registry
	key will depend on the deployment type.

	* If Cisco Secure ACS is not installed on a Windows domain 
	controller, access to the registry key should be limited to
	only the local Windows SYSTEM account and specific local / 
	domain administrators who will be performing software 
	maintenance on the ACS installation. 
	
	* If Cisco Secure ACS is installed on a Windows domain 
	controller, access to the registry key should be limited to 
	the domain account which ACS is configured to use for its 
	services, the local Windows SYSTEM account and specific 
	local / domain administrators who will be performing 
	software maintenance on the ACS installation.

	For information about editing the Windows registry, please 
	consult the following Microsoft documentation.

	"Description of the Microsoft Windows registry"

	http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986

	Further mitigation against remote exploitation can be 
	achieved by restricting access to authorized users or 
	disabling remote access to the Windows registry on systems
	running Cisco Secure ACS for Windows. For information on
	restricting remote registry access, please consult the
	following Microsoft documentation.

	"How to restrict access to the registry from a remote computer"

	http://support.microsoft.com/kb/q153183

	"How to Manage Remote Access to the Registry"

	http://support.microsoft.com/kb/q314837
	
Recommendation:
	
	Follow your organization's testing procedures before 
	applying patches or workarounds.  See Cisco's instructions
	on how to place an ACL on the Registry Key, and also how 
	to restrict remote access to the Windows registry.

	These recommendations do not eliminate the vulnerability, 
	but provide some mitigation.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.


	CVE-2006-0561

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@symantec.com

For details on Symantec's Vulnerability Reporting Policy: 
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive: 
http://www.symantec.com/research/  

Symantec Vulnerability Research PGP Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_PGP.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com 

For general information on Symantec's Product Vulnerability 
reporting and response:
http://www.symantec.com/security/

Symantec Product Advisory Archive: 
http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

- ---------------------------------------------------------------

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted 
as long as it is not edited in any way unless authorized by 
Symantec Consulting Services. Reprinting the whole or part of 
this alert in any medium other than electronically requires 
permission from cs_advisories@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use 
of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are 
registered trademarks of Symantec Corp. and/or affiliated companies 
in the United States and other countries. All other registered and 
unregistered trademarks represented in this document are the sole 
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEXR5muk7IIFI45IARArK+AJwOzswbkJN2WirzNweklR+iBBHpsQCgyNOe
vKVo3Si7ycswRs/2kiA997I=
=dkX3
-----END PGP SIGNATURE-----
    

- 漏洞信息

25892
Cisco Secure ACS Registry Cleartext Authentication Credential Disclosure
Local Access Required, Remote / Network Access Authentication Management, Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Cisco Secure ACS contains a flaw that may allow a malicious user to gain access to cleartext passwords. The issue is caused by insecure storage of the master key used to encrypt ACS administrator passwords in the Windows registry. It is possible that the flaw may allow access to administrator passwords resulting in a loss of confidentiality.

- 时间线

2006-05-08 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators

- 相关参考

- 漏洞作者

- 漏洞信息

Cisco Secure ACS Insecure Password Storage Vulnerability
Design Error 16743
Yes Yes
2006-05-08 12:00:00 2006-05-15 07:54:00
Andreas Junestam is credited with the discovery of this issue.

- 受影响的程序版本

Cisco Secure ACS for Windows Server 3.2
Cisco Secure ACS for Windows NT 3.3
Cisco Secure ACS for Windows NT 3.2
Cisco Secure ACS for Windows NT 3.1.1
Cisco Secure ACS for Windows NT 3.1
Cisco Secure ACS for Windows NT 3.0.3
Cisco Secure ACS for Windows NT 3.0 .1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
Cisco Secure ACS for Windows NT 3.0
Cisco Secure Access Control Server 3.3.2
Cisco Secure Access Control Server 3.3.1
Cisco Secure Access Control Server 3.3 (1)
Cisco Secure Access Control Server 3.3
Cisco Secure Access Control Server 3.2.2
Cisco Secure Access Control Server 3.2.1
Cisco Secure Access Control Server 3.2 (3)
Cisco Secure Access Control Server 3.2 (2)
Cisco Secure Access Control Server 3.2 (1.20)
Cisco Secure Access Control Server 3.2 (1)
Cisco Secure Access Control Server 3.2
Cisco Secure Access Control Server 3.1
Cisco Secure Access Control Server 3.0
Cisco Secure Access Control Server
Cisco Secure ACS Solution Engine
Cisco Secure Access Control Server 4.0.1

- 不受影响的程序版本

Cisco Secure ACS Solution Engine
Cisco Secure Access Control Server 4.0.1

- 漏洞讨论

Cisco Secure ACS is susceptible to an insecure password-storage vulnerability. This issue is due to a failure of the application to properly secure sensitive password information.

This issue allows attackers to gain access to encrypted passwords and to the key used to encrypt them. This allows them to obtain the plaintext passwords, aiding them in attacking other services that depend on the ACS server for authentication.

Cisco Secure Access Control Server for Windows versions 3.x are affected by this issue.

- 漏洞利用

Attackers must use or create an exploit application that is capable of decrypting the encrypted passwords.

The specific means of gaining access to the registry information may or may not require an exploit application.

- 解决方案

ACS 3.x for UNIX and ACS 4.0.1 for Windows are not affected this issue.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站