-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, On Fri, Aug 25, 2006 at 08:23:28PM -0400, Andreas Gal wrote: [...] > Vulnerability: > Previous versions of the software allowed users to bypass the "mandatory" > installation of the Clean Access Agent by changing the browser user-agent > string. With version 3.6.0, Cisco added additional detection mechanisms > such as TCP fingerprinting and JavaScript OS detection. By changing the > default parameters of the Windows TCP/IP stack and using a custom HTTPS > client (instead of a browser) the user can still connect to the network > without running any host-based checks. Authentication and remote checks > are not affected. [...] This is the Cisco PSIRT response to the above statements made by Andreas Gal and Joachim Feise in their advisory entitled "NAC agent installation bypass", which was posted to the Bugtraq and full-disclosure mailing lists. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. Additional Information ====================== The goal of the attack described in the advisory is to bypass the Operating System (OS) detection mechanisms available in the NAC (Network Admission Control ) appliance software, in order to prevent the mandatory installation of the Cisco Clean Access (CCA) Agent. If the CCA Agent is not installed, machines that do not comply with the configured software policies will not be automatically patched/upgraded or quarantined on initial access to the network. While it is possible to bypass the mandatory agent installation by following the steps in the advisory, it should be noted that: 1) Users cannot bypass authentication using the approach described in the advisory. Accordingly, unauthorized users (i.e., users with no credentials or invalid credentials) will not be able to gain access to the network using such approach. 2) If an administrator is concerned that users might attempt to bypass CCA Agent installation by masquerading a Windows machine as a non-Windows machine (e.g., Linux, MacOSX, etc.), the administrator can define Network Scanning rules on the CCA Manager and use network scans to perform additional OS-specific checks. This process should detect users attempting to masquerade their Windows machines as non-Windows machines. Additional information on how to configure Network Scanning rules can be found in the Tech Note entitled Clean Access - Use the Network Scanning Feature to Detect Users Who Attempt to Bypass Agent Checks. 3) If a malicious user installs a personal firewall or similar software for the purpose of making the network scan time out, CCA provides options to quarantine such malicious users. Following such quarantine, administrators can then determine if users are attempting to masquerade their OS. Alternatively, network administrators can ask users to configure their personal firewalls to allow any traffic sourced from the Clean Access Server (CAS) IP address, so that it can successfully perform network scans. 4) Customers can also manually install either the CCA Agent software or the CCA Agent Installation stub (available in CCA version 4.0.0 and above) on end-user Windows machines, instead of using the OS detection routines. This will completely prevent the agent installation bypass described in the advisory from Andreas Gal and Joachim Feise. This response will also be posted to http://www.cisco.com/warp/public/707/cisco-sr-20060826-nac.shtml Cheers, Eloy Paris.- Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE8K+1agjTfAtNY9gRAkCLAJ92FjiG8CCYAEeWxmPd4PDtPfTvvQCeLvch aJmchDqJyvle9bIw0qQigUw= =Rxii -----END PGP SIGNATURE-----
