Cisco Systems free security patches for Secure Access management Server (Secure ACS) for Windows to deal with a crucial vulnerability that might permit unauthenticated attackers to remotely execute arbitrary commands and head of the underlying package.
Cisco Secure ACS is associate degree application that permits firms to centrally manage access to network resources for varied kinds of devices and users. per Cisco’s documentation, it enforces access management policies for VPN, wireless and alternative network users and it authenticates directors, authorizes commands, associate degreed provides an audit path.
Cisco Secure ACS supports 2 network access management protocols: Remote Access Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System and (TACACS+).
The freshly patched vulnerability is known as CVE-2013-3466 and affects Cisco Secure ACS for Windows versions four.0 through four.2.1.15 once organized as a RADIUS server with protrusible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) authentication.
“The vulnerability is owing to improper parsing of user identities used for EAP-FAST authentication,” Cisco aforementioned Wed in a very security informatory. “An assailant may exploit this vulnerability by causing crafted EAP-FAST packets to associate degree affected device.”
“Successful exploitation of the vulnerability could permit associate degree unauthenticated, remote assailant to execute arbitrary commands and take full management of the underlying package that hosts the Cisco Secure ACS application within the context of the System user for Cisco Secure ACS running on Microsoft Windows,” the corporate aforementioned.
The vulnerability received the most severity score, 10.0, within the Common Vulnerability classification system (CVSS), that indicates that it’s extremely crucial. Cisco Secure ACS for Windows version four.220.127.116.11 was free to deal with the flaw.