Researchers in Germany today demonstrated a tool that allows an unauthorized PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment, effectively circumventing the networking giant's end-point security strategy.
In a presentation at the Black Hat Europe conference this morning, two researchers from ERNW GmbH, a German security and penetration testing firm, released a tool called "NAC Credential Spoofing." ERNW has informed Cisco of the vulnerabilities and the tool, but the switch maker has not responded yet, they say.
The tool springs from a couple of "design flaws" that ERNW discovered in Cisco's NAC, according to Michael Thumann, CSO at ERNW, who developed the tool with Dror-John Roecher, a senior security consultant. The flaws were found in the communication between the client and Cisco's Admission Control Server (ACS), and therefore would apply to any Cisco NAC environment, regardless of what hardware models or software versions were installed.
The first flaw is a lack of authentication between the client and the ACS server, Thumann explains. "The client has an IP address, but there's currently no way to authenticate the device," he says. "Any device could interact with the server at Layer 2." The introduction of IEEE 802.1x technology will eventually make this interface more secure, but the window remains open for now, he says.
"This is a little different than the other reports you may have seen, which are projections based on surveys or Internet crime reports," Bransford observes. "Everything we found is actually out there right now, on the open Internet."
The second flaw -- and this would apply to any NAC environment that relies on the client to provide its own policy compliance information -- is that there is no way to verify that the client is telling the truth about its configuration. "This means that a client can essentially be set up to lie to the policy server about its antivirus capabilities and so forth," Thumann says.
To prove their point, the ERNW researchers reverse-engineered the Cisco Trust Agent (CTA) -- the agent software that resides on the client device -- and created a tool that lets an end-station spoof a legitimate device, responding to the policy server's questions with all the right answers. The researchers even manufactured a Trend Micro Devices plug-in that fooled the Cisco ACS into believing that the client was outfitted with Trend Micro software.
"We used Trend Micro because it was handy, but we could have spoofed any security or antivirus software," Thumann says.The Black Hat demonstration used IP addresses that the ACS server would recognize as legitimate, so the exploit demonstrated this morning could be executed only by an insider who had an internal network address. ERNW is currently working on a full-blown spoofed version of the CTA software that would allow external entities to fake their way onto Cisco networks as well.
ERNW has not yet tested its concept on Microsoft's Network Access Protection or other NAC environments, but in theory it should work in any environment where the client reports its own configuration and security policy compliance information, without an independent check. NAC environments that check clients from a central point, such as an IDS or IPS, would not be fooled by the new tool, Thumann says.
Cisco officials were "very professional" when ERNW informed them of the vulnerabilities and the new tool, Thumann says. The company did not repeat its performance of the 2005 Black Hat conference, in which former ISS researcher Michael Lynn was prevented from exposing a Cisco vulnerability under threat of a lawsuit, he notes.
An abstract of the ERNW presentation is available on the Black Hat Website. ERNW will be publishing a complete paper on its research in the near future, Thumann says.
Tim Wilson, Site Editor, Dark Reading