Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability

[Joe Feise <jfeise () feise com>]

Hello,

This is an answer to Cisco's response to our advisory entitled "NAC agent
installation bypass".

We appreciate Cisco's answer to our advisory and the confirmation of the
validity of our approach.

We like to address some of the points Eloy Paris from Cisco makes in
his answer.

Eloy Paris wrote on 08/26/06 13:31:
<...>

> While it is possible to bypass the mandatory agent installation by
> following the steps in the advisory, it should be noted that:
>
> 1) Users cannot bypass authentication using the approach described in
> the advisory. Accordingly, unauthorized users (i.e., users with no
> credentials or invalid credentials) will not be able to gain access to
> the network using such approach.


Our advisory explicitly addressed bypassing the CCA Agent installation only.
Authentication is orthogonal to our concern, and is not affected by our approach.

> 2) If an administrator is concerned that users might attempt to
> bypass CCA Agent installation by masquerading a Windows machine as a
> non-Windows machine (e.g., Linux, MacOSX, etc.), the administrator can
> define Network Scanning rules on the CCA Manager and use network scans
> to perform additional OS-specific checks. This process should detect
> users attempting to masquerade their Windows machines as non-Windows
> machines.


Such network scanning can be rendered useless in a trivial manner by connecting
Windows machines to the network through a Linux-based router, such as the ones
produced by Cisco's subsidiary Linksys.

> 4) Customers can also manually install either the CCA Agent software
> or the CCA Agent Installation stub (available in CCA version 4.0.0 and
> above) on end-user Windows machines, instead of using the OS detection
> routines. This will completely prevent the agent installation bypass
> described in the advisory from Andreas Gal and Joachim Feise.


This is a possible approach, particularly in corporate settings where the
end-user machines are locked down.
However, it fails in settings where the end user machines are not under control
of the network administrators, such as university residential student
communities (it is our understanding that CCA is quite popular with network
administrators in these settings.)
Any end user with administrative rights could simply uninstall the CCA Agent
software.

Cheers,
-Joachim Joe Feise

Attachment: signature.asc
Description: OpenPGP digital signature