CVE-1999-0734

Vulnerability

A default configuration of CiscoSecure Access Control Server (ACS) for UNIX allows remote users to modify the server database without any authentication [1]. This vulnerability affects versions before 2.3.3, including 2.2.2, 2.2.3, 2.3.1, and 2.3.2 [1]. The issue originates from the fact that the database server component does not validate remote clients by default, permitting arbitrary hosts to connect and perform administrative operations.

Exploitation

An attacker needs only network access to the CiscoSecure ACS server, which typically listens for database connections on a TCP port. No authentication or prior knowledge of valid credentials is required. The attacker can connect directly to the database service and issue commands to add, modify, or delete user accounts and configuration data [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to completely modify the server database. This can lead to full compromise of the AAA (authentication, authorization, and accounting) service, enabling the attacker to create privileged accounts, alter access policies, or disrupt normal operations. The confidentiality, integrity, and availability of the entire ACS-managed network are at risk [1].

Mitigation

Cisco released version 2.3.3 of CiscoSecure ACS for UNIX, which is not affected by the defect that prevents the client validation workaround from working properly [1]. Two workarounds exist for versions that are not subject to the related defects (CSCdm72555, CSCdk55423): enable client validation by editing the CSCconfig.ini file and setting ValidateClients = true, and listing all permitted administration hosts under the [ValidClients] section. For version 2.3.3, the additional parameter FastAdminValidClients further restricts access for the Fast Administrator Web-based GUI. Customers on affected versions should upgrade to version 2.3.3 or later to fully address this vulnerability [1].