CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
72.3%
The version of Cisco Secure Access Control Server for Windows 4.x is earlier than 4.2.1.15.11. It is, therefore, potentially affected by a remote code execution vulnerability. Due to improper parsing of user identities used for EAP-FAST authentication, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.
Note that this issue only affects Cisco Secure Access Control Server for Windows when configured as a RADIUS server.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(69926);
script_version("1.6");
script_cvs_date("Date: 2019/11/27");
script_cve_id("CVE-2013-3466");
script_bugtraq_id(62028);
script_xref(name:"CISCO-BUG-ID", value:"CSCui57636");
script_xref(name:"IAVA", value:"2013-A-0167");
script_xref(name:"CISCO-SA", value:"cisco-sa-20130828-acs");
script_name(english:"Cisco Secure Access Control Server for Windows Remote Code Execution");
script_summary(english:"Checks version of Cisco Secure ACS for Windows");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an access control application installed
that is affected by a code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Cisco Secure Access Control Server for Windows 4.x is
earlier than 4.2.1.15.11. It is, therefore, potentially affected by a
remote code execution vulnerability. Due to improper parsing of user
identities used for EAP-FAST authentication, a remote, unauthenticated
attacker could execute arbitrary code on the remote host subject to the
privileges of the user running the affected application.
Note that this issue only affects Cisco Secure Access Control Server for
Windows when configured as a RADIUS server.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130828-acs
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf1e10c2");
script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco Secure Access Control Server for Windows 4.2.1.15.11
or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-3466");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/28");
script_set_attribute(attribute:"patch_publication_date", value:"2013/08/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:secure_access_control_server");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_secure_acs_for_windows_installed.nasl");
script_require_keys("SMB/Cisco Secure ACS for Windows/Path", "SMB/Cisco Secure ACS for Windows/Version");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
kb_base = 'SMB/Cisco Secure ACS for Windows/';
version = get_kb_item_or_exit('SMB/Cisco Secure ACS for Windows/Version');
path = get_kb_item_or_exit('SMB/Cisco Secure ACS for Windows/Path');
name = kb_smb_name();
port = kb_smb_transport();
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if (version =~ '^4\\.' && ver_compare(ver:version, fix:'4.2.1.15.11') < 0)
{
# Make sure it is configured as a RADIUS server
nasvendor = NULL;
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
key = "SOFTWARE\Cisco";
subkeys = get_registry_subkeys(handle:hklm, key:key);
if (!isnull(subkeys))
{
foreach subkey (subkeys)
{
if (subkey =~ '^CiscoSecure ACS v[0-9\\.]+')
{
key = key + '\\' + subkey + "\Setup\NasVendor";
nasvendor = get_registry_value(handle:hklm, item:key);
break;
}
}
}
RegCloseKey(handle:hklm);
close_registry();
if (isnull(nasvendor)) exit(1, 'Failed to determine the NAS type.');
if ('radius' >!< tolower(nasvendor)) exit(0, 'The host is not affected because Cisco Secure ACS for Windows is not configured as a RADIUS server.');
if (report_verbosity > 0)
{
report =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 4.2.1.15.11\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, 'Cisco Secure Access Control Server for Windows', version, path);