Network Security, Patch/Configuration Management, Vulnerability Management

Patched Cisco ACS flaw lets attackers perform MITM attacks, steal admin credentials

Positive Technologies has elaborated on a critical remote code execution vulnerability its researchers discovered in the web interface of the Cisco Systems Access Control Server (ACS), reporting that the bug can be leveraged to perform man-in-the-middle attacks, steal credentials, access network resources and intercept traffic. 

Cisco patched the flaw earlier this year, noting in a May 2 security advisory that unauthenticated, remote attackers could use a maliciously crafted Action Message Format (AMF) message to exploit the bug – designated CVE-2018-0253 – "to execute arbitrary commands on an affected system."

To capitalize on the vulnerability, adversaries must have local or remote access to the affected internal network, and any malicious commands will be executed at the targeted user's privilege level. However, in a June 7 company blog post, Positive Technologies web application security specialist Mikhail Klyuchnikov warned that if ACS is integrated with Microsoft Active Directory, then attackers can "steal the credentials of the domain administrator," thus allowing them to elevate their own privileges.

But even when Active Directory integration is not enabled, "the attacker can still obtain control of routers and firewalls in order to intercept traffic, including sensitive data, on the entire network – or access closed-off network segments, such as bank processing systems," Klyuchnikov explained.

The vulnerability, caused by insufficient validation of the AMF protocol, received a CVSS score of 9.8. Cisco said the problem was fixed in Cisco Secure ACS Release 5.8.0.32.7. Positive Technologies contends that v5.8.0.32.7 and v5.8.0.32.8 are also vulnerable, but in those cases attackers must first be authenticated in the system. Positive Technologies advises updating servers to version 5.8.0.32.9 or later.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.