Cisco Patches Secure ACS Vulnerabilities

The vulnerabilities affect Secure ACS for Windows and the Cisco Secure ACS Solution Engine, according to a Cisco advisory issued Friday.

Secure ACS, an identity networking solution that simplifies user management by combining authentication, user and administrator access and policy control, is a key part of Cisco's trust and identity management framework and one of the cornerstones of the vendor's Network Admission Control (NAC) technology.

Cisco, which last week began issuing threat ratings using the Common Vulnerability Scoring System, issued CVSS base scores of 10 and 6 for a pair of stack-based buffer overflow flaws, and base scores of 3.3 for the three denial-of-service flaws.

Security firm Secunia gave the vulnerabilities a blanket score of highly critical, or 4 on a 5-point scale, and Symantec rated their severity as 8.9 on a 10-point scale.

In June, Cisco patched a flaw in Secure ACS that could allow an attacker to gain administrative access to the Web-based interface used to manage network devices.

Cisco credited a pair of U.K. government security research organizations, the Communications Electronics Security Group (CESG) and the National Infrastructure Security Coordination Center (NISCC), for discovering several of the flaws.