mailing list archives
Re: Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access
From: Damir Rajnovic <gaus () cisco com>
Date: Fri, 12 Jan 2007 13:53:12 +0000
On Tue, Jan 09, 2007 at 12:40:47PM -0700, Mark Senior wrote:
Perhaps you can't comment, which I respect, but I wonder - is there a
general Cisco policy on vulnerability announcements being short on technical
detail like this? This advisory seemed pretty much standard for advisories
coming from Cisco, which is to say that the reader is often left to draw
inferences, which are not always correct (though perhaps mine were more
incorrect than the average reader's).
The policy is to strive to provide as much details as possible for
administrators to determine their exposure but, at the same time, not to
make too easy for bad guys to exploit vulnerability. Again, the emphasis
is on exposure which does not necessary means that all technical details
Sounds easy in theory but not always easy in practice. Therefore we
appreciate feedback on how are we doing.
Just to make sure I'm understanding this - would the attacker need the
shared secret in order to get the CAS to do anything - i.e. are we talking
about a compromise of (the shared secret from) one Clean Access box in an
admin domain being expandable to all the Clean Access boxes in that admin
domain? Or, is the ability to carry on a TCP conversation sufficient, no
prior access to a shared secret required?
Yes, the attacker must know the shared secret. Due to the vulnerability
the shared secret is the same for all affected devices. So, if you have
affected device then, in a way, you have and know it.
In practice, I suspect that if the attacker has downloaded the hashes, the
damage is done. The best you can realistically expect of typical ops groups
is that they will make the attacker wait a week or two, instead of half an
hour. If you're lucky, you might realize that someone has the hashes and
change all the passwords, and pray your folks didn't just increment the
number at the end of their passwords like usual.
Not that that's Cisco's problem...
We can encourage customers not to do that by enforcing rules when they
change passwords. So we can help :)
Damir Rajnovic <psirt () cisco com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
There are no insolvable problems.
The question is can you accept the solution?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/