Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability

[Eloy Paris <elparis () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On Fri, Aug 25, 2006 at 08:23:28PM -0400, Andreas Gal wrote:

[...]

> Vulnerability:
> Previous versions of the software allowed users to bypass the "mandatory" 
> installation of the Clean Access Agent by changing the browser user-agent 
> string. With version 3.6.0, Cisco added additional detection mechanisms 
> such as TCP fingerprinting and JavaScript OS detection. By changing the 
> default parameters of the Windows TCP/IP stack and using a custom HTTPS 
> client (instead of a browser) the user can still connect to the network 
> without running any host-based checks. Authentication and remote checks 
> are not affected.

[...]

This is the Cisco PSIRT response to the above statements made by Andreas
Gal and Joachim Feise in their advisory entitled "NAC agent installation
bypass", which was posted to the Bugtraq and full-disclosure mailing
lists.

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
======================

The goal of the attack described in the advisory is to bypass the
Operating System (OS) detection mechanisms available in the NAC
(Network Admission Control ) appliance software, in order to prevent
the mandatory installation of the Cisco Clean Access (CCA) Agent. If
the CCA Agent is not installed, machines that do not comply with the
configured software policies will not be automatically patched/upgraded
or quarantined on initial access to the network.

While it is possible to bypass the mandatory agent installation by
following the steps in the advisory, it should be noted that:

1) Users cannot bypass authentication using the approach described in
the advisory. Accordingly, unauthorized users (i.e., users with no
credentials or invalid credentials) will not be able to gain access to
the network using such approach.

2) If an administrator is concerned that users might attempt to
bypass CCA Agent installation by masquerading a Windows machine as a
non-Windows machine (e.g., Linux, MacOSX, etc.), the administrator can
define Network Scanning rules on the CCA Manager and use network scans
to perform additional OS-specific checks. This process should detect
users attempting to masquerade their Windows machines as non-Windows
machines.

Additional information on how to configure Network Scanning rules can be
found in the Tech Note entitled Clean Access - Use the Network Scanning
Feature to Detect Users Who Attempt to Bypass Agent Checks.

3) If a malicious user installs a personal firewall or similar software
for the purpose of making the network scan time out, CCA provides
options to quarantine such malicious users. Following such quarantine,
administrators can then determine if users are attempting to masquerade
their OS. Alternatively, network administrators can ask users to
configure their personal firewalls to allow any traffic sourced from
the Clean Access Server (CAS) IP address, so that it can successfully
perform network scans.

4) Customers can also manually install either the CCA Agent software
or the CCA Agent Installation stub (available in CCA version 4.0.0 and
above) on end-user Windows machines, instead of using the OS detection
routines. This will completely prevent the agent installation bypass
described in the advisory from Andreas Gal and Joachim Feise.

This response will also be posted to
http://www.cisco.com/warp/public/707/cisco-sr-20060826-nac.shtml

Cheers,

Eloy Paris.-
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE8K+1agjTfAtNY9gRAkCLAJ92FjiG8CCYAEeWxmPd4PDtPfTvvQCeLvch
aJmchDqJyvle9bIw0qQigUw=
=Rxii
-----END PGP SIGNATURE-----