Cisco plugs ACS password security hole

Networking giant issues patch to stop hackers bypassing password protection in Access Control System.

Security

Networking titan Cisco has patched a vulnerability in its Access Control System (ACS) platform that could allow hackers to bypass password protections.

The update installs a revision of ACS, a part of which handles the platform's TACACS+ authentication platform.

Cisco said the vulnerability was caused by the improper validation of the user-supplied passwords when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

An attacker may exploit this vulnerability by sending a special sequence of characters when prompted for the user password.

They would then need to know a valid username stored in the LDAP external identity database to exploit this vulnerability, and the exploitation is limited to impersonate only that user.

An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

The update is free to download and install with Cisco urging organisations to install the fix as soon as possible.

The flaw was initally flagged by Sans security researcher Mark Baggett.

Baggett said exploitation of the vulnerability was "very easy".

"If you are using Cisco ACS for authentication you should probably take note of this announcement," he said.

News of the flaw in Cisco's ACS comes around a week after the company was forced to issue patches in its datacentre and web conferencing products that could allow remote command execution in its Cisco Prime Data Center Network Manager.

Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, according to Cisco.

It also reported a SQL injection and buffer overrun vulnerability in its Cisco Unified MeetingPlace Web Conferencing product.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Sitecore XP RCE flaw is being actively exploited, ACSC warns
vulnerability

Sitecore XP RCE flaw is being actively exploited, ACSC warns

9 Nov 2021
Patch management vs vulnerability management
enterprise security

Patch management vs vulnerability management

14 Sep 2021
The IT Pro Podcast: Can 5G close the digital divide?
5G

The IT Pro Podcast: Can 5G close the digital divide?

6 Aug 2021
Cisco launches Webex for Defense for the Pentagon
Software

Cisco launches Webex for Defense for the Pentagon

7 Jul 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Solving cyber security's diversity problem
Careers & training

Solving cyber security's diversity problem

5 Jan 2022