Cisco NAC appliance is vulnerable
Cisco announced on Wed that there exists two vulnerabilities in their Cisco NAC appliance (formerly Cisco Clean Access, before that Perfigo Clean Machine). One involving the initial set up of the Clean Access Manager (I guess they still use the Clean Access name) and Clean Access Server makes it impossible to configure the "shared secret" (now there is a high-tech sounding secure name) that is used to authenticate communications between the devices (I wonder why they don't just use certificates). The other in just the Clean Access Manager allows unauthorized users to view backups of the database without authenticating.
Cisco has made patches available to fix these flaws. I wonder how long they existed as zero-day or less than zero vulnerabilities before this official announcement. In any event, doesn't it just thrill you to the bone to know that the product you use to make your network secure is itself a hole in your armor.
Authors note: Well Thomas from Matasano slapped me pretty hard on this one. Seems "shared secret" is a commonly used term and method of accomplishing secure communications. Go figure, but at least I learned something. Anyway, Thomas make a proposition to let him bang on Safe Access for free for a week to see what turns up. I am going to put it to our team and recomend we take him up on the offer.
Comments