Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

DoS in Cisco Clean Access

From: alex () box sk
Date: 16 Dec 2005 18:57:28 -0000
Date of release: 16/12/2005
Software: Cisco Clean Access/Perfigo CleanMachines (http://www.cisco.com/en/US/products/ps6128/index.html)
Affected versions: Tested on 3.5.5, assumed all <=current.
Risk: Medium/High
Discovered by: Alex Lanstein 

Background
--------
Cisco Clean Access is an easily deployed Network Admission Control solution that can automatically detect, isolate, and 
clean infected or vulnerable devices that attempt to access your network - regardless of the access method. It 
identifies whether networked devices such as laptops, personal digital assistants, or even game consoles are compliant 
with your network's security policies, and repairs any vulnerabilities before permitting access to the network.

The software that is affected resides on the Secure Smart Manager, not the Secure Smart Server.  

Details
-------
The method below has the possibility to create a denial of service on a few layers.  One, a user without a username or 
password can use the vulnerability to upload files to a web visable folder for fun and profit.  The user could also 
fill up the drive as it seems, aside from /boot, the rest of the drive is one big partition.  Filling up the drive 
would most definately cause the system to lock up in its current configuration.  

In /admin/uploadclient.jsp there is a lack of authentication check so that anyone who browses to the page can upload 
files directly to the web visable folder /installer/windows.  This is clearly unacceptable.

Similar types of attacks can be launched from apply_firmware_action.jsp and file.jsp.  

Solution(s)
--------
The vendor, Cisco Systems, should prepend _all_ files, especially all .jsp files, with an authentication check.  This 
seems to be the case with most, but not all of the files.  

The vendor should also use a better partitioning scheme in its installs.

Managers of these systems should add some sort of overall .htaccess/.htpasswd system while they are waiting for the 
vendor patch, as I'm sure that under further investigation by the engineers many more files are affected than those 
listed above.

External discussion and developments:
be .aware | http://www.awarenetwork.org/forum/viewtopic.php?p=2236
Previous By Date Next
Previous By Thread Next

Current thread: