A couple of flaws in Cisco Systems Inc.'s Network Admission Control (NAC) architecture allow unauthorized PCs to present themselves as legitimate devices on the network, according to security researchers in Germany.
A tool that takes advantage of the flaws was demonstrated at the recent Black Hat security conference in Germany by Dror-John Roecher and Michael Thumann, two researchers working for ERNW GmbH, a Heidelberg-based penetration testing firm.
Cisco's NAC technology is designed to let IT managers set rules that prevent a client device from accessing a network unless it complies with policies on antivirus software updates, firewall configurations, software patches and other issues. "Cisco Trust Agent" technology sits on each network client and gathers the information needed to determine whether the device is in compliance with policies or not. A policy management server then lets the device either log into the network or puts it into a quarantine zone, depending on the information relayed by the Trust Agent.
But a "fundamental design" failure by Cisco to ensure proper client authentication makes it possible for pretty much any device to interact with the policy server, Roecher said. "Basically, it allows anyone to come along and say, 'Here are my credentials, this is my service pack level, this is the list of installed patches, my antivirus software is current' " and asked to be logged in, he said.
The second flaw is that the policy server has no way of knowing whether the information it gets from the trust agent truly represents that machine's status -- making it possible to send spoofed information to the policy server, Roecher said.
"There's a way of persuading the installed Trust Agent to not report what's actually on the system but to report what we want it to," he said. For instance, the Trust Agent could be fooled into thinking that a system has all the required security patches and controls and allow it to log into a network. "We can spoof the credentials and gain access to the network" with a system that is completely out of policy, he said.
The attack only works with devices that have a Cisco Trust Agent installed on it. "We did that because it needed the least effort," Roecher said. But ERNW is already working on a hack that will allow even systems without a Trust Agent to log into a Cisco NAC environment, but the tool for doing that will not be ready until at least August. "An attacker wouldn't need to have the Trust Agent anymore. It's a complete replacement of the Trust Agent."
Cisco officials were not immediately available for comment. But in a note posted on Cisco's Web site, the company noted that "the method of the attack is to simulate the communication between Cisco Trust Agent (CTA) and its interaction with network enforcement devices." It is possible to spoof the information pertaining to the device's status, or "posture," Cisco said.
But NAC "does not require posture information to authenticate incoming users as they access the network. In this regard, the [Trust Agent] is only a messenger to transport posture credentials," Cisco said.
Alan Shimel, chief security officer at StillSecure, a company that sells products that compete with Cisco NAC, said that Cisco's use of a proprietary authentication protocol may be causing some of the problems. "They don't have a mechanism for accepting certificates" to authenticate devices like the 802.1x network access control standard does, he said.
The Cisco Trust Agent spoofing issue highlighted by the researchers is a more generic problem, he said. Any agent software that lives on a machine, tests the machine and reports back to a server can be spoofed, whether it is Cisco's Trust Agent or some other software, he said. "This has always been an argument against use of client-side agents" for checking the security status of a PC, he said.
The security issues raised by the German researchers also highlight the importance of having "post-admission" network controls in addition to a "pre-admission" check such as Cisco NAC, said Jeff Prince, chief technology officer at ConSentry, a security vendor that sells such products.
"NAC is an important first line of defense, but it is not very useful" without ways of controlling what a user can do after gaining network access, he said.
This story, "Cisco Hacks Expose Flaw" was originally published by Computerworld.