Cisco Secure ACS Unix Acme.server Information Disclosure Vulnerability

Summary

• Cisco Secure Access Control Server for Unix implements the Acme.server and is therefore vulnerable to a directory traversal vulnerability. The fix has been included in ACS Unix version 2.3.6.1 which is currently available.

  This vulnerability is detailed in Cisco Bug ID CSCdu47965.

  This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020702-acsunix-acmeweb.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  The defects described in this document are present in releases beginning with version 2.0 up to and including version 2.3.6 of Cisco Secure ACS for Unix Server.

  Products Confirmed Not Vulnerable

  Cisco Secure ACS for Windows NT is not vulnerable to this issue. Cisco Access Registrar is not vulnerable to this issue.

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• This vulnerability exists within the Acme.server program that is part of the Cisco Secure ACS Unix installation. This vulnerability has been repaired in the Acme.server utility. The patch is available for Cisco customers, and has now been incorporated into the Cisco Secure ACS Unix product.

  The vulnerability is triggered when someone browses to the server URL and adds trailing slashes as in the following example: http://servername:9090///. This exploit will display the files and filesystem of the target server.

  This vulnerability has been assigned Cisco bug ID CSCdu47965.

Workarounds

• Workarounds for this vulnerability include general recommendations of protecting the Cisco Secure ACS for Unix with strong firewalls, access controls, and preventing any external or unauthenticated access to the system, and to port 9090 in particular. This is an interim workaround only, and a patch or upgrade is recommended.

  For this issue, a patch is available which may be installed in place of an upgrade. The patch is available at the following temporary location:

  ftp://ftpeng.cisco.com/ftp/csu/Acme-Patch.tar.Z

  For any assistance with the patch, please contact the TAC. This patch fixes the security problem with the Acme.server. It includes the modified files provided by Acme. This patch can be applied for any supported version of Cisco Secure, that is, CiscoSecure/Unix 2.3(3) or later. The patch consists of one file: FastAdmin/Acme.zip.

  Patch Installation Instructions

  To install the patch, follow the instructions below. The commands need to be executed on your Cisco Secure ACS Unix by the administrator.

  1. Stop Cisco Secure by entering the command:
     

     /etc/rc0.d/K80CiscoSecure
     

  2. Change to the base directory where Cisco Secure is installed.
     

     cd $BASEDIR
     

  3. Copy the compressed tar file Acme-Patch.tar.Z into the current directory.
     
  4. Uncompress and untar the file.
     

     uncompress Acme-Patch.tar.Z
     tar xvf Acme-Patch.tar
     

  5. Start Cisco Secure with the command:
     

     /etc/rc2.d/S80CiscoSecure
     

Fixed Software

• There is a patch available, and the fixes are included in Cisco Secure ACS Unix version 2.3.6.1 and all versions going forward. For existing versions, the patch may be applied, which resolves the issue. There is no need to upgrade to a newer version.

Exploitation and Public Announcements

• The issue with the Acme.server was posted to the Bugtraq list June 2001 , although no specific mention of the Cisco product was made in the original posting. Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020702-acsunix-acmeweb

Revision History

• Revision 1.2	2002-July-24	Update to Affected Products section
  Revision 1.1	2002-July-03	Update to Workarounds section
  Revision 1.0	2002-July-02	Initial Public Release

  Show Less