Networking titan Cisco has patched a vulnerability in its Access Control System (ACS) platform that could allow hackers to bypass password protections.
The update installs a revision of ACS, a part of which handles the platform's TACACS+ authentication platform.
Cisco said the vulnerability was caused by the improper validation of the user-supplied passwords when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.
An attacker may exploit this vulnerability by sending a special sequence of characters when prompted for the user password.
They would then need to know a valid username stored in the LDAP external identity database to exploit this vulnerability, and the exploitation is limited to impersonate only that user.
An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.
The update is free to download and install with Cisco urging organisations to install the fix as soon as possible.
The flaw was initally flagged by Sans security researcher Mark Baggett.
Baggett said exploitation of the vulnerability was "very easy".
"If you are using Cisco ACS for authentication you should probably take note of this announcement," he said.
News of the flaw in Cisco's ACS comes around a week after the company was forced to issue patches in its datacentre and web conferencing products that could allow remote command execution in its Cisco Prime Data Center Network Manager.
Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, according to Cisco.
It also reported a SQL injection and buffer overrun vulnerability in its Cisco Unified MeetingPlace Web Conferencing product.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Cisco is jailbreaking AI models so you don’t have to worry about itNews Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
-
Cisco dispels Kraken data breach claims, insists stolen data came from old attackNews Cisco has refuted claims it has suffered a data breach after the Kraken threat group posted stolen data online.
-
Cisco patches critical flaws in Identity Services EngineNews Cisco has issued patches for a pair of critical vulnerabilities affecting its Identity Service Engine (ISE).
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
Your office is now absolutely riddled with surveillance equipmentNews While workplace monitoring is shown to have a detrimental effect on morale, many firms are still charging ahead
-
Cisco confirms attackers stole data, shuts down access to compromised DevHub environmentNews The tech giant insists that no sensitive customer information has been compromised
-
Cisco confirms investigation amid data breach claimsNews The networking giant says its probe is ongoing amid claims a threat actors accessed company data
