Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-254: Cisco IOS Software Authentication Proxy Vulnerability

[CVE-2009-2863]

October 20, 2009 14:00 GMT
PROBLEM: Cisco IOSĀ® Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
PLATFORM: Cisco IOS 12.0 through 12.4. See bulletin for full list of products affected.
ABSTRACT: Race condition in the Firewall Authentication Proxy feature in Cisco IOS 12.0 through 12.4 allows remote attackers to bypass authentication, or bypass the consent web page, via a crafted request.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-254.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36491/info
Cisco
http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8132.shtml

  CVE: CVE-2009-2863
IMPACT ASSESSMENT: This risk is medium. Successfully exploiting this issue allows remote attackers to gain access to vulnerable devices without requiring successful authentication. 
[***** Start CVE-2009-2863 *****]
Discussion:
The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users. Web Authentication feature leverages the underlying authentication proxy feature.

The consent feature for Cisco IOS routers enables organizations to provide temporary Internet and corporate access to end users through their wired and wireless networks by presenting a consent webpage. The consent feature can be used with or without requesting a username and password, but still leverages the underlying authentication proxy feature.

This vulnerability allows a session to be permitted without first being authenticated by the authentication proxy, or to be permitted without first acknowledging the consent webpage. At least one successfully authenticated session or accepted consent session must exist for the vulnerability to be exposed. When this occurs, the RADIUS or TACACS+ server will show subsequent users as authenticated, all with the same username as the initial connection if performing authentication, regardless of the authentication information provided by the user and whether it was defined on the AAA server, and regardless of whether the password was correct.

This vulnerability is caused by a race condition in the code, and several conditions outside the control of a malicious user and must be met before this vulnerability could be exploited.

Vulnerable:
Cisco IOS 12.4YB    Cisco IOS 12.4YA    Cisco IOS 12.4XZ    Cisco IOS 12.4XY    Cisco IOS 12.4XW    
Cisco IOS 12.4XV    Cisco IOS 12.4XT    Cisco IOS 12.4XK    Cisco IOS 12.4XJ    Cisco IOS 12.4XF    
Cisco IOS 12.4XE    Cisco IOS 12.4XD    Cisco IOS 12.4XC    Cisco IOS 12.4XA    Cisco IOS 12.4T     
Cisco IOS 12.4MR    Cisco IOS 12.4      Cisco IOS 12.3ZA    Cisco IOS 12.3YZ    Cisco IOS 12.3YT
Cisco IOS 12.3YS    Cisco IOS 12.3YM    Cisco IOS 12.3YK    Cisco IOS 12.3YI    Cisco IOS 12.3YH    
Cisco IOS 12.3YG    Cisco IOS 12.3YD    Cisco IOS 12.3YA    Cisco IOS 12.3XX    Cisco IOS 12.3XS    
Cisco IOS 12.3XR    Cisco IOS 12.3XQ    Cisco IOS 12.3XL    Cisco IOS 12.3XK    Cisco IOS 12.3XG    
Cisco IOS 12.3XF    Cisco IOS 12.3XE    Cisco IOS 12.3XD    Cisco IOS 12.3XC    Cisco IOS 12.3XA
Cisco IOS 12.3VA    Cisco IOS 12.3TPC   Cisco IOS 12.3T     Cisco IOS 12.3JK    Cisco IOS 12.3B     
Cisco IOS 12.3      Cisco IOS 12.2ZYA   Cisco IOS 12.2ZY    Cisco IOS 12.2ZU    Cisco IOS 12.2ZL    
Cisco IOS 12.2ZJ    Cisco IOS 12.2ZH    Cisco IOS 12.2ZG    Cisco IOS 12.2ZF    Cisco IOS 12.2ZE    
Cisco IOS 12.2ZD    Cisco IOS 12.2YZ    Cisco IOS 12.2YX    Cisco IOS 12.2YV    Cisco IOS 12.2YU
Cisco IOS 12.2YR    Cisco IOS 12.2YQ    Cisco IOS 12.2YO    Cisco IOS 12.2YN    Cisco IOS 12.2YM    
Cisco IOS 12.2YL    Cisco IOS 12.2YJ    Cisco IOS 12.2YH    Cisco IOS 12.2YF    Cisco IOS 12.2YE    
Cisco IOS 12.2YC    Cisco IOS 12.2YB    Cisco IOS 12.2YA    Cisco IOS 12.2XW    Cisco IOS 12.2XV    
Cisco IOS 12.2XT    Cisco IOS 12.2XQ    Cisco IOS 12.2XO    Cisco IOS 12.2XM    Cisco IOS 12.2XL
Cisco IOS 12.2XK    Cisco IOS 12.2XJ    Cisco IOS 12.2XH    Cisco IOS 12.2XG    Cisco IOS 12.2XD    
Cisco IOS 12.2XB    Cisco IOS 12.2XA    Cisco IOS 12.2TPC   Cisco IOS 12.2T     Cisco IOS 12.2SZ    
Cisco IOS 12.2SXI   Cisco IOS 12.2SXH   Cisco IOS 12.2SXF   Cisco IOS 12.2SXE   Cisco IOS 12.2SXE   
Cisco IOS 12.2SXD   Cisco IOS 12.2SXD   Cisco IOS 12.2SXB   Cisco IOS 12.2SXA   Cisco IOS 12.2SX
Cisco IOS 12.2SW    Cisco IOS 12.2SV    Cisco IOS 12.2SU    Cisco IOS 12.2SRD   Cisco IOS 12.2SRC   
Cisco IOS 12.2SRB   Cisco IOS 12.2SRA   Cisco IOS 12.2SQ    Cisco IOS 12.2SGA   Cisco IOS 12.2SG    
Cisco IOS 12.2SG    Cisco IOS 12.2SEG   Cisco IOS 12.2SEG   Cisco IOS 12.2SEG   Cisco IOS 12.2SEF   
Cisco IOS 12.2SEF   Cisco IOS 12.2SEE   Cisco IOS 12.2SEE   Cisco IOS 12.2SEE   Cisco IOS 12.2SED
Cisco IOS 12.2SED   Cisco IOS 12.2SEC   Cisco IOS 12.2SEC   Cisco IOS 12.2SEB   Cisco IOS 12.2SEA   
Cisco IOS 12.2SE    Cisco IOS 12.2SE    Cisco IOS 12.2SBC   Cisco IOS 12.2SBC   Cisco IOS 12.2SB    
Cisco IOS 12.2SB    Cisco IOS 12.2S     Cisco IOS 12.2S     Cisco IOS 12.2IXH   Cisco IOS 12.2IXG   
Cisco IOS 12.2IXF   Cisco IOS 12.2IXE   Cisco IOS 12.2IXD   Cisco IOS 12.2IXC   Cisco IOS 12.2IXB
Cisco IOS 12.2IXA   Cisco IOS 12.2IRC   Cisco IOS 12.2IRB   Cisco IOS 12.2IRA   Cisco IOS 12.2FZ    
Cisco IOS 12.2FY    Cisco IOS 12.2FX    Cisco IOS 12.2EY    Cisco IOS 12.2EY    Cisco IOS 12.2EX    
Cisco IOS 12.2EX    Cisco IOS 12.2EWA   Cisco IOS 12.2EW    Cisco IOS 12.2EU    Cisco IOS 12.2DD    
Cisco IOS 12.2CZ    Cisco IOS 12.2BW    Cisco IOS 12.2B     Cisco IOS 12.2(33)SXH5     
Cisco IOS 12.2(33)SXH4    Cisco IOS 12.2(33)SXH3    Cisco IOS 12.2(18)SXF16    Cisco IOS 12.2(18)SXF15   
Cisco IOS 12.2(18)SXF14   Cisco IOS 12.2(18)SXF13   Cisco IOS 12.2(18)SXF11    Cisco IOS 12.2 FZ        
Cisco IOS 12.2            Cisco IOS 12.1YI          Cisco IOS 12.1YF           Cisco IOS 12.1YE    
Cisco IOS 12.1YD          Cisco IOS 12.1YB          Cisco IOS 12.1XT           Cisco IOS 12.1XR          
Cisco IOS 12.1XP          Cisco IOS 12.1XM          Cisco IOS 12.1XL           Cisco IOS 12.1XJ         
Cisco IOS 12.1XI          Cisco IOS 12.1XH          Cisco IOS 12.1XC           Cisco IOS 12.1T
Cisco IOS 12.1EX          Cisco IOS 12.1EA          Cisco IOS 12.1E            Cisco IOS 12.1DC          
Cisco IOS 12.1DB          Cisco IOS 12.1AY          Cisco IOS 12.1             Cisco IOS 12.0XR         
Cisco IOS 12.0XK          Cisco IOS 12.0XE          Cisco IOS 12.0WC           Cisco IOS 12.0T
Cisco IOS 12.0DC          Cisco IOS 12.0DB 

Solution:
Cisco has released free software updates that address this vulnerability.  Please see the referenced advisory for details.

[***** End CVE-2009-2863 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788