CiscoSecure ACS for Windows NT Null Password Vulnerability

Affected Systems:

Cisco Secure ACS for Windows NT 2.42 and earlier

- Microsoft Windows NT 4.0

Unaffected Systems:

Cisco Secure ACS for Unix

Description:

Some LDAP services allow users to not specify a password. If CiscoSecure ACS for Windows NT is used with such

LDAP services, remote users may bypass the former's authentication mechanism to obtain access to the

router and switch that they should not have. .

<* Source: Cisco Security Advisory: Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server *>

Recommendation:

Temporary Solution:

NSFOCUS recommends that you temporarily adopt the Cisco solution before getting the upgraded version:

privilege password for enable on CiscoSecure ACS for Windows NT Server, not at far

On the server.

Vendor Patch:

Cisco offers a free upgrade version of 2.43, which will not be available in subsequent versions. Customers can obtain upgraded versions via the channel

: Br>

1) Normal upgrade channel

2) Software Center

3) Contact Technical Support

- +1 800 553 2447 (toll- Free from within North America)

- +1 408 526 7209 (toll call from anywhere in the world)

- E-mail: [email protected]