Cisco plugs ACS password security hole

Networking giant issues patch to stop hackers bypassing password protection in Access Control System.

Security

Networking titan Cisco has patched a vulnerability in its Access Control System (ACS) platform that could allow hackers to bypass password protections.

The update installs a revision of ACS, a part of which handles the platform's TACACS+ authentication platform.

Cisco said the vulnerability was caused by the improper validation of the user-supplied passwords when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

An attacker may exploit this vulnerability by sending a special sequence of characters when prompted for the user password.

They would then need to know a valid username stored in the LDAP external identity database to exploit this vulnerability, and the exploitation is limited to impersonate only that user.

An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

The update is free to download and install with Cisco urging organisations to install the fix as soon as possible.

The flaw was initally flagged by Sans security researcher Mark Baggett.

Baggett said exploitation of the vulnerability was "very easy".

"If you are using Cisco ACS for authentication you should probably take note of this announcement," he said.

News of the flaw in Cisco's ACS comes around a week after the company was forced to issue patches in its datacentre and web conferencing products that could allow remote command execution in its Cisco Prime Data Center Network Manager.

Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, according to Cisco.

It also reported a SQL injection and buffer overrun vulnerability in its Cisco Unified MeetingPlace Web Conferencing product.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020
36 billion personal records exposed by hacks in 2020 so far
Security

36 billion personal records exposed by hacks in 2020 so far

29 Oct 2020
Trump website defaced in second successive cyber breach
Security

Trump website defaced in second successive cyber breach

28 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020