Analytics

Cisco's NAC Gets Hacked

German security experts develop tool that spoofs legitimate client and fools Cisco servers into allowing network access

Researchers in Germany today demonstrated a tool that allows an unauthorized PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment, effectively circumventing the networking giant's end-point security strategy.

In a presentation at the Black Hat Europe conference this morning, two researchers from ERNW GmbH, a German security and penetration testing firm, released a tool called "NAC Credential Spoofing." ERNW has informed Cisco of the vulnerabilities and the tool, but the switch maker has not responded yet, they say.

The tool springs from a couple of "design flaws" that ERNW discovered in Cisco's NAC, according to Michael Thumann, CSO at ERNW, who developed the tool with Dror-John Roecher, a senior security consultant. The flaws were found in the communication between the client and Cisco's Admission Control Server (ACS), and therefore would apply to any Cisco NAC environment, regardless of what hardware models or software versions were installed.

The first flaw is a lack of authentication between the client and the ACS server, Thumann explains. "The client has an IP address, but there's currently no way to authenticate the device," he says. "Any device could interact with the server at Layer 2." The introduction of IEEE 802.1x technology will eventually make this interface more secure, but the window remains open for now, he says.

"This is a little different than the other reports you may have seen, which are projections based on surveys or Internet crime reports," Bransford observes. "Everything we found is actually out there right now, on the open Internet."

The second flaw -- and this would apply to any NAC environment that relies on the client to provide its own policy compliance information -- is that there is no way to verify that the client is telling the truth about its configuration. "This means that a client can essentially be set up to lie to the policy server about its antivirus capabilities and so forth," Thumann says.

To prove their point, the ERNW researchers reverse-engineered the Cisco Trust Agent (CTA) -- the agent software that resides on the client device -- and created a tool that lets an end-station spoof a legitimate device, responding to the policy server's questions with all the right answers. The researchers even manufactured a Trend Micro Devices plug-in that fooled the Cisco ACS into believing that the client was outfitted with Trend Micro software.

"We used Trend Micro because it was handy, but we could have spoofed any security or antivirus software," Thumann says.

The Black Hat demonstration used IP addresses that the ACS server would recognize as legitimate, so the exploit demonstrated this morning could be executed only by an insider who had an internal network address. ERNW is currently working on a full-blown spoofed version of the CTA software that would allow external entities to fake their way onto Cisco networks as well.

ERNW has not yet tested its concept on Microsoft's Network Access Protection or other NAC environments, but in theory it should work in any environment where the client reports its own configuration and security policy compliance information, without an independent check. NAC environments that check clients from a central point, such as an IDS or IPS, would not be fooled by the new tool, Thumann says.

Cisco officials were "very professional" when ERNW informed them of the vulnerabilities and the new tool, Thumann says. The company did not repeat its performance of the 2005 Black Hat conference, in which former ISS researcher Michael Lynn was prevented from exposing a Cisco vulnerability under threat of a lawsuit, he notes.

An abstract of the ERNW presentation is available on the Black Hat Website. ERNW will be publishing a complete paper on its research in the near future, Thumann says.

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • ERNW GmbH

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    The Year in Security 2018
    This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
    Flash Poll
    How Enterprises Are Attacking the Cybersecurity Problem
    How Enterprises Are Attacking the Cybersecurity Problem
    Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2018-20735
    PUBLISHED: 2019-01-17
    ** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
    CVE-2019-0624
    PUBLISHED: 2019-01-17
    A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
    CVE-2019-0646
    PUBLISHED: 2019-01-17
    A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
    CVE-2019-0647
    PUBLISHED: 2019-01-17
    An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
    CVE-2018-20727
    PUBLISHED: 2019-01-17
    Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.