Cisco Access Control Server (ACS)

The integrated security system of data center is constructed based on the hardware and software system Cisco Access Control (ACS) which principal components are the server with the software of Cisco Physical Access Manager (Cisco PAM) and controllers to which RFID-and biometric readers, actuators and other equipment are connected.

2018: Dangerous vulnerability in Cisco ACS

On June 7, 2018 it became known that experts of Positive Technologies Mikhail Klyuchnikov and Yury Aleynov detected critically dangerous vulnerability in Cisco ACS1 access control web server interface. The lack of security allows not authorized attacking to execute any commands on the server on behalf of the privileged user.

Vulnerability of CVE-2018-0253 got assessment 9.8 points on CVSS v scale. 3.0, what means the critical level of danger. If the malefactor already is in internal network, then he can change or collect credentials of users of network devices, attack other resources of internal network or carry out man-in-the-middle attacks. If the Cisco ACS web interface is available from external network, then these actions can be carried out from any place in the world.

"At integration of Cisco ACS into Microsoft Active Directory that happens very often, attacking can steal an account of the domain administrator, and under less favorable conditions (without Active Directory integration) — to receive control over routers and internetwork screens for listening of traffic of all network (including confidential data) or access to the closed network segments, for example to processing in bank". Mikhail Klyuchnikov, specialist of department of the analysis of security of the Positive Technologies web applications

The problem is connected with incorrect message handling of AMF3 protocol on the server. As a part of the message of AMF3 the malefactor can transfer specially prepared Java object in the serialized type. When deserialising this object the server will load a malicious code from the source specified by the violator and will execute it.

Vulnerabilities are subject the versions of Cisco ACS released to v5.8.0.32.7 (authorization is not required) and also v5.8.0.32.7 and v5.8.0.32.8 (authorization is required). For elimination of a problem the producer recommends to update the server to version 5.8.0.32.9 or more late.

For identification of actions of malefactors the Positive Technologies company suggests to use an event management system of information security of MaxPatrol SIEM. In April in MaxPatrol SIEM 26 rules of detection of incidents were added to the Active Directory; directory services of Microsoft are often closely integrated with Cisco ACS in corporate networks and quite often are the main target of the attacks.

In addition the firewall of the application layer PT Application Firewall in which protection against the attacks connected with deserialising in Java and support of the AMF protocol are implemented can be used to protection against cyber attacks using this vulnerability.