Several vulnerabilities in the RADIUS server supplied with Cisco Secure ACS products could allow a remote attacker to execute arbitrary code on an affected system.
Cisco Secure ACS is a Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) security server. The RADIUS protocol is handled by the CSRadius component of the Cisco Secure ACS product which is run as a service in Windows under the Local System account.
Several vulnerabilities, including a heap overflow in handling of the "Tunnel-Password" attribute, exist in the way the CSRadius service handles certain RADIUS Access-Request packets. These vulnerabilities may allow a remote attacker with the ability to craft RADIUS packets to cause the CSRadius service to crash.
A remote unauthenticated attacker may be able to cause the CSRadius service to crash, thereby causing a denial of service. Cisco states that these vulnerabilities will not allow an attacker to execute arbitrary code after successful exploitation.
These issues were publicly reported in Cisco Security Advisory cisco-sa-20070105-csacs . The "Tunnel-Password" heap overflow (CVE-2006-4097) issue was reported by the NISCC Vulnerability Management Team. NISCC, in turn, thanks the CESG Vulnerability Research Group for reporting this issue to them.
|Date First Published:||2007-01-15|
|Date Last Updated:||2007-01-26 16:24 UTC|