IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cisco plugs ACS password security hole

Networking giant issues patch to stop hackers bypassing password protection in Access Control System.

Security

Networking titan Cisco has patched a vulnerability in its Access Control System (ACS) platform that could allow hackers to bypass password protections.

The update installs a revision of ACS, a part of which handles the platform's TACACS+ authentication platform.

Cisco said the vulnerability was caused by the improper validation of the user-supplied passwords when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

An attacker may exploit this vulnerability by sending a special sequence of characters when prompted for the user password.

They would then need to know a valid username stored in the LDAP external identity database to exploit this vulnerability, and the exploitation is limited to impersonate only that user.

An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

The update is free to download and install with Cisco urging organisations to install the fix as soon as possible.

The flaw was initally flagged by Sans security researcher Mark Baggett.

Baggett said exploitation of the vulnerability was "very easy".

"If you are using Cisco ACS for authentication you should probably take note of this announcement," he said.

News of the flaw in Cisco's ACS comes around a week after the company was forced to issue patches in its datacentre and web conferencing products that could allow remote command execution in its Cisco Prime Data Center Network Manager.

Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, according to Cisco.

It also reported a SQL injection and buffer overrun vulnerability in its Cisco Unified MeetingPlace Web Conferencing product.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Cisco to exit Russia, Belarus in business wind-down
Business operations

Cisco to exit Russia, Belarus in business wind-down

24 Jun 2022
WAN Insights is Cisco’s first foray into predictive network intelligence
Network & Internet

WAN Insights is Cisco’s first foray into predictive network intelligence

16 Jun 2022
Cisco unveils new ‘intelligent’ approach to networking with brace of product launches
Network & Internet

Cisco unveils new ‘intelligent’ approach to networking with brace of product launches

16 Jun 2022
Deepfake attacks expected to be next major threat to businesses
phishing

Deepfake attacks expected to be next major threat to businesses

16 Jun 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
The human brain is far more complex than AI researchers imagine
artificial intelligence (AI)

The human brain is far more complex than AI researchers imagine

17 Sep 2022
The cryptocurrency implosion shows we’re heading for the end
cryptocurrencies

The cryptocurrency implosion shows we’re heading for the end

29 Sep 2022