Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Cisco's NAC Gets Hacked

German security experts develop tool that spoofs legitimate client and fools Cisco servers into allowing network access

Researchers in Germany today demonstrated a tool that allows an unauthorized PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment, effectively circumventing the networking giant's end-point security strategy.

In a presentation at the Black Hat Europe conference this morning, two researchers from ERNW GmbH, a German security and penetration testing firm, released a tool called "NAC Credential Spoofing." ERNW has informed Cisco of the vulnerabilities and the tool, but the switch maker has not responded yet, they say.

The tool springs from a couple of "design flaws" that ERNW discovered in Cisco's NAC, according to Michael Thumann, CSO at ERNW, who developed the tool with Dror-John Roecher, a senior security consultant. The flaws were found in the communication between the client and Cisco's Admission Control Server (ACS), and therefore would apply to any Cisco NAC environment, regardless of what hardware models or software versions were installed.

The first flaw is a lack of authentication between the client and the ACS server, Thumann explains. "The client has an IP address, but there's currently no way to authenticate the device," he says. "Any device could interact with the server at Layer 2." The introduction of IEEE 802.1x technology will eventually make this interface more secure, but the window remains open for now, he says.

"This is a little different than the other reports you may have seen, which are projections based on surveys or Internet crime reports," Bransford observes. "Everything we found is actually out there right now, on the open Internet."

The second flaw -- and this would apply to any NAC environment that relies on the client to provide its own policy compliance information -- is that there is no way to verify that the client is telling the truth about its configuration. "This means that a client can essentially be set up to lie to the policy server about its antivirus capabilities and so forth," Thumann says.

To prove their point, the ERNW researchers reverse-engineered the Cisco Trust Agent (CTA) -- the agent software that resides on the client device -- and created a tool that lets an end-station spoof a legitimate device, responding to the policy server's questions with all the right answers. The researchers even manufactured a Trend Micro Devices plug-in that fooled the Cisco ACS into believing that the client was outfitted with Trend Micro software.

"We used Trend Micro because it was handy, but we could have spoofed any security or antivirus software," Thumann says.

The Black Hat demonstration used IP addresses that the ACS server would recognize as legitimate, so the exploit demonstrated this morning could be executed only by an insider who had an internal network address. ERNW is currently working on a full-blown spoofed version of the CTA software that would allow external entities to fake their way onto Cisco networks as well.

ERNW has not yet tested its concept on Microsoft's Network Access Protection or other NAC environments, but in theory it should work in any environment where the client reports its own configuration and security policy compliance information, without an independent check. NAC environments that check clients from a central point, such as an IDS or IPS, would not be fooled by the new tool, Thumann says.

Cisco officials were "very professional" when ERNW informed them of the vulnerabilities and the new tool, Thumann says. The company did not repeat its performance of the 2005 Black Hat conference, in which former ISS researcher Michael Lynn was prevented from exposing a Cisco vulnerability under threat of a lawsuit, he notes.

An abstract of the ERNW presentation is available on the Black Hat Website. ERNW will be publishing a complete paper on its research in the near future, Thumann says.

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • ERNW GmbH

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-30477
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
    CVE-2021-30478
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
    CVE-2021-30479
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
    CVE-2021-30487
    PUBLISHED: 2021-04-15
    In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
    CVE-2020-36288
    PUBLISHED: 2021-04-15
    The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...