Cisco warns of flaws in ACS product

Networking equipment maker Cisco Systems Inc. warned customers about security holes in two products that provide user authentication and authorization services for network devices such as firewalls and routers.

The company issued a security advisory Wednesday identifying “multiple Denial of Service (DoS) and authentication related vulnerabilities” in two products: the Cisco Secure Access Control Server for Windows (Windows ACS) and Cisco Secure Access Control Server Solution Engine (Secure ACS). The vulnerabilities could allow attackers or malicious users to crash the ACS products or gain unauthorized access to network devices, Cisco said.

ACS products centralize user identity management for other Cisco products and management applications, allowing administrators to manage and enforce access policies that control who can log into the network.

Cisco found that both the Secure ACS and ACS Windows products stopped responding to new Transmission Control Protocol (TCP) connections after being flooded with TCP connections on port 2002. The denial of service condition hampered the ACS devices’ ability to process authentication requests and required the ACS devices to be rebooted to restore authentication services, Cisco said.

In other instances, Cisco found that, under certain circumstances attackers that faked (or “spoofed”) the network address of a computer that is accessing the ACS administrative user interface could access that interface without being asked to log in first, Cisco said.

Cisco released product upgrades for ACS Windows version 3.2 and 3.3 and for the ACS Solution Engine. The company recommended that customers with service contracts obtain the updates using the Cisco Product Upgrade Tool or by contacting the companies’ Technical Assistance Center.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now