[1]navbar Strip_FieldNotice Field Notice: Cisco IOS 11.3(1.2) and 11.3(1.2)T AAA Failure January 21, 1998, 16:20 US/Pacific, Revision 3 _________________________________________________________________ Contents * [2]Summary * [3]Who Is Affected * [4]Impact * [5]Details * [6]Exploitation and Public Announcements * [7]Status of This Notice * [8]Distribution * [9]Revision History [10]Cisco Security Procedures _________________________________________________________________ Summary A vulnerability (bug ID CSCdj74723) in AAA authentication processing on Cisco IOS versions 11.3(1.2) and 11.3(1.2)T may allow users to get access for which they are not intended to be authorized. This affects only the 11.3(1.2) and 11.3(1.2)T interim releases. It does not affect any non-interim, production Cisco IOS software release. The bug that creates this vulnerability may also result in access being denied to legitimate users, or in system crashes. If you are a [11]registered CCO user and you have logged in, you can view bug details. Who Is Affected All systems running Cisco IOS Software version 11.3(1.2) or 11.3(1.2)T, and which use TACACS+, RADIUS, or other AAA services for authorization, are affected by this vulnerability. If your configuration includes any command beginning with "aaa authorization", then you are vulnerable. Systems using AAA strictly for login authentication, as opposed to service authorization, and systems using local authentication, are unaffected. We believe that the most commonly affected configurations will be those using TACACS+ or RADIUS servers. Systems running engineering special releases containing the fix for bug ID CSCdi51915 may also be affected. If you are a [12]registered CCO user and you have logged in, you can view bug details. Impact This vulnerability may let attackers evade authorization, which may mean that they can issue system commands that they would not otherwise be able to issue, or that they can make connections or send packets to destinations that they would not otherwise be able to reach. It is possible for this to happen without any special skills or knowledge on the part of the attacker, and it is also possible for extra access to be granted to a legitimate user who isn't deliberately conducting an attack at all. The effects of the vulnerability depend on the installation, but you should assume that it opens very broad access to your network. The underlying bug can also result in denial of authorization to legitimate users, or in system crashes. Details This vulnerability (Bug ID CSCdj74723) was introduced by the fix for Bug ID CSCdi51915, which was integrated in Cisco IOS versions 11.3(1.2) and 11.3(1.2)T. It has been fixed for 11.3(1.3) and 11.3(1.3)T. Only these interim releases are affected; CSCdj74723 is not in any regular, released Cisco IOS software image. Cisco's product security incident response team does not know of any engineering specials that are vulnerable, but, because such specials may be released on an informal basis, it is impossible to determine with absolute certainty whether or not such images exist. Cisco personnel who have been involved in the issuance of specials to customers since January 8, 1998, and customers who have received such specials, are advised to check to make sure that the fix for CSCdi51915 is not in their specials. If that fix is there, the fix for CSCdj74723 must be added to protect against this vulnerability. There is no configuration workaround for this vulnerability, short of completely disabling AAA authorization. Exploitation and Public Announcements Cisco has had no known reports of malicious exploitation of this vulnerability. Cisco knows of no public announcements of the existence of this vulnerability before the date of this notice. Status of This Notice This field notice represents Cisco's best information as of the date given above. If more information does become available, or if errors are found, the notice will be updated, but we do not expect significant change. Distribution The initial version of this notice is being sent to the customers that our records show have downloaded the affected releases. This notice will be posted in the "[13]Field Notices" section of Cisco's Worldwide Web site, which can be found under "Technical Tips" in the "Software and Support" section. The URL is http://www.cisco.com/warp/public/770/aaapair-pub.shtml. The copy on the Worldwide Web will be updated as appropriate. If there are future changes to this notice, the new versions will be posted on the Worldwide Web. Updates will not be sent in e-mail unless the changes are significant. Revision History Revision 2, 14:30, 21-JAN-1997 Initial version. Revision 3, 16:20, 21-JAN-1997 First customer release. Cisco Security Procedures Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to [14]security-alert@cisco.com. Reports may be encrypted using PGP; public RSA and DSS keys for security-alert@cisco.com are on the public PGP keyservers. The alias [15]security-alert@cisco.com is used only for reports incoming to Cisco. Mail sent to security-alert@cisco.com goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to security-alert@cisco.com. We will shortly be creating a security announcement mailing list for outgoing information. When that list is created, an announcement will be sent to appropriate Internet forums. Please do not use security-alert@cisco.com for configuration questions, for security intrusions that you do not consider to be sensitive emergencies, or for general, non-security-related support requests. We do not have the capacity to handle such requests through this channel, and will have to refer them to [16]Cisco's Technical Assistance Center, delaying response to your questions. We advise contacting the Technical Assistance Center directly with such questions. _________________________________________________________________ This notice is copyright 1998 by Cisco Systems, Inc. This notice may be redistributed freely provided that redistributed copies are complete and unmodified, including all date and version information. _________________________________________________________________ Posted: Wed Jan 21 17:05:22 PST 1998 [17]Copyright © 1992--1999 Cisco Systems, Inc. References 1. http://www.cisco.com/pcgi-bin/imagemap/navbar 2. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#summary 3. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#who 4. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#impact 5. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#details 6. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#exploit 7. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#status 8. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#distribution 9. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#revisions 10. http://www.cisco.com/warp/public/770/aaapair-pub.shtml#procedures 11. http://www.cisco.com/register 12. http://www.cisco.com/register 13. http://www.cisco.com/warp/public/770/index.shtml 14. mailto:security-alert@cisco.com 15. mailto:security-alert@cisco.com 16. http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml 17. http://www.cisco.com/public/copyright.html