There is a critical remotely exploitable vulnerability in Cisco’s Secure Access Control Server which allows a remote attacker to take complete control of a vulnerable server. The bug results from a bad implementation of the EAP-FAST protocol and it affects a number of versions of the Cisco ACS.
The vulnerability is a highly critical one, as an attacker needs no authentication whatsoever and can take over control of the machine running the server. Cisco officials said the flaw only exists when the ACS server is configured as a RADIUS server. The company has issued a patch for the vulnerability, but there are no workarounds that can be implemented before the patch is rolled out.
“The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server,” the Cisco advisory says.
“Commands are executed in the context of the System user for Cisco Secure ACS authentication service running on Microsoft Windows. Cisco Secure ACS uses the standard RADIUS UDP port 1812 or 1645 for EAP-FAST authentication.”
The vulnerability affects versions 4.0 through 220.127.116.11 of the Cisco ACS server and the patch is implemented in version 18.104.22.168.11. Cisco officials said they’re not aware of any public exploitation of the vulnerability yet.