Positive Technologies has elaborated on a critical remote code execution vulnerability its researchers discovered in the web interface of the Cisco Systems Access Control Server (ACS), reporting that the bug can be leveraged to perform man-in-the-middle attacks, steal credentials, access network resources and intercept traffic.
Cisco patched the flaw earlier this year, noting in a 2 May security advisory that unauthenticated, remote attackers could use a maliciously crafted Action Message Format (AMF) message to exploit the bug – designated CVE-2018-0253 – "to execute arbitrary commands on an affected system."
To capitalise on the vulnerability, adversaries must have local or remote access to the affected internal network, and any malicious commands will be executed at the targeted user's privilege level. However, in a 7 June company blog post, Positive Technologies web application security specialist Mikhail Klyuchnikov warned that if ACS is integrated with Microsoft Active Directory, then attackers can "steal the credentials of the domain administrator," thus allowing them to elevate their own privileges.
But even when Active Directory integration is not enabled, "the attacker can still obtain control of routers and firewalls in order to intercept traffic, including sensitive data, on the entire network – or access closed-off network segments, such as bank processing systems," Klyuchnikov explained.
The vulnerability, caused by insufficient validation of the AMF protocol, received a CVSS score of 9.8. Cisco said the problem was fixed in Cisco Secure ACS Release 220.127.116.11.7. Positive Technologies contends that v18.104.22.168.7 and v22.214.171.124.8 are also vulnerable, but in those cases attackers must first be authenticated in the system. Positive Technologies advises updating servers to version 126.96.36.199.9 or later.