Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Cisco's NAC Gets Hacked

German security experts develop tool that spoofs legitimate client and fools Cisco servers into allowing network access

Researchers in Germany today demonstrated a tool that allows an unauthorized PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment, effectively circumventing the networking giant's end-point security strategy.

In a presentation at the Black Hat Europe conference this morning, two researchers from ERNW GmbH, a German security and penetration testing firm, released a tool called "NAC Credential Spoofing." ERNW has informed Cisco of the vulnerabilities and the tool, but the switch maker has not responded yet, they say.

The tool springs from a couple of "design flaws" that ERNW discovered in Cisco's NAC, according to Michael Thumann, CSO at ERNW, who developed the tool with Dror-John Roecher, a senior security consultant. The flaws were found in the communication between the client and Cisco's Admission Control Server (ACS), and therefore would apply to any Cisco NAC environment, regardless of what hardware models or software versions were installed.

The first flaw is a lack of authentication between the client and the ACS server, Thumann explains. "The client has an IP address, but there's currently no way to authenticate the device," he says. "Any device could interact with the server at Layer 2." The introduction of IEEE 802.1x technology will eventually make this interface more secure, but the window remains open for now, he says.

"This is a little different than the other reports you may have seen, which are projections based on surveys or Internet crime reports," Bransford observes. "Everything we found is actually out there right now, on the open Internet."

The second flaw -- and this would apply to any NAC environment that relies on the client to provide its own policy compliance information -- is that there is no way to verify that the client is telling the truth about its configuration. "This means that a client can essentially be set up to lie to the policy server about its antivirus capabilities and so forth," Thumann says.

To prove their point, the ERNW researchers reverse-engineered the Cisco Trust Agent (CTA) -- the agent software that resides on the client device -- and created a tool that lets an end-station spoof a legitimate device, responding to the policy server's questions with all the right answers. The researchers even manufactured a Trend Micro Devices plug-in that fooled the Cisco ACS into believing that the client was outfitted with Trend Micro software.

"We used Trend Micro because it was handy, but we could have spoofed any security or antivirus software," Thumann says.

The Black Hat demonstration used IP addresses that the ACS server would recognize as legitimate, so the exploit demonstrated this morning could be executed only by an insider who had an internal network address. ERNW is currently working on a full-blown spoofed version of the CTA software that would allow external entities to fake their way onto Cisco networks as well.

ERNW has not yet tested its concept on Microsoft's Network Access Protection or other NAC environments, but in theory it should work in any environment where the client reports its own configuration and security policy compliance information, without an independent check. NAC environments that check clients from a central point, such as an IDS or IPS, would not be fooled by the new tool, Thumann says.

Cisco officials were "very professional" when ERNW informed them of the vulnerabilities and the new tool, Thumann says. The company did not repeat its performance of the 2005 Black Hat conference, in which former ISS researcher Michael Lynn was prevented from exposing a Cisco vulnerability under threat of a lawsuit, he notes.

An abstract of the ERNW presentation is available on the Black Hat Website. ERNW will be publishing a complete paper on its research in the near future, Thumann says.

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • ERNW GmbH

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    The Problem with Artificial Intelligence in Security
    Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
    10 iOS Security Tips to Lock Down Your iPhone
    Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-6342
    PUBLISHED: 2020-05-28
    An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
    CVE-2020-11082
    PUBLISHED: 2020-05-28
    In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
    CVE-2020-5357
    PUBLISHED: 2020-05-28
    Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
    CVE-2020-13660
    PUBLISHED: 2020-05-28
    CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
    CVE-2020-11079
    PUBLISHED: 2020-05-28
    node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.