Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1536
Views
20
Helpful
7
Replies

CSCvh25988 - Cisco Secure Access Control System Java Deserialization Vulnerability

ipagliani
Level 1
Level 1

‎03-12-2018 09:18 AM - edited ‎03-20-2019 09:58 PM

Ciao,

Do you know if there's any (temporarily) mitigation for this bug except the upgrading to 5.8?

For example: Is the bug exploitable only using the ACS GUI? In this case I could restrict the admin GUI access.

On the other hand, I've not seen any IPS signature for this bug. Right?

 

Thanks

1 person had this problem
Labels:
0 Helpful
7 Replies 7

pavoljaco
Level 1
Level 1

‎03-13-2018 04:54 AM

Hi,

 

good question, I need to know how is this vulnerability exploitable? Usually ACS is not remotely accessible, except for admin (ssh and https) and network devices (radius, tacacs). Which protocol is vulnerable? Thanks.

0 Helpful

ipagliani
Level 1
Level 1
In response to pavoljaco

‎03-14-2018 03:53 AM

Ciao,

I'm going to open a TAC....

 

pavoljaco
Level 1
Level 1
In response to ipagliani

‎03-14-2018 04:52 AM

Great, once you have some answers, if possible, share the knowledge please. Thanks.

ipagliani
Level 1
Level 1
In response to pavoljaco

‎03-19-2018 07:10 AM

Ciao,

bad news, the TAC replay me :

 

Problem Description: Need information related to CSCvh25988.

Action Plan: There are no workarounds or temporary mitigation steps that could address this vulnerability.

In order to fix this vulnerability, you need to upgrade your ACS to 5.8 patch 9.

 

Nothing else.

On my side I found out that Talos has released this signature:

* 3:45870 <-> ENABLED <-> SERVER-WEBAPP Cisco ACS unsafe Java object deserialization attempt (server-webapp.rules)

but I don't understand how the signature is blocking the attack.

 

 

0 Helpful

pavoljaco
Level 1
Level 1
In response to ipagliani

‎03-19-2018 07:48 AM

Well at least some information... from the signature, I can see that it match only on destination service HTTP-PORTS. So it probably means, that this vulnerability can be exploited only through web interface (admin access). That is not bad, usually admin access is behind firewall and allowed only to specific hosts... Thank you.

0 Helpful

ipagliani
Level 1
Level 1
In response to pavoljaco

‎03-19-2018 08:55 AM

 What does it mean? In case a matching every time you access to the ACS GUI?

Thanks

0 Helpful

pavoljaco
Level 1
Level 1
In response to ipagliani

‎03-20-2018 12:22 AM

I dont know what exactly is this signature looking for (some specific string for example). But it is looking for it at the HTTP ports. So at least we can say, ACS is not exploitable via radius or tacacs.
Top