Hi Mark, On Tue, Jan 09, 2007 at 12:40:47PM -0700, Mark Senior wrote: > Perhaps you can't comment, which I respect, but I wonder - is there a > general Cisco policy on vulnerability announcements being short on technical > detail like this? This advisory seemed pretty much standard for advisories > coming from Cisco, which is to say that the reader is often left to draw > inferences, which are not always correct (though perhaps mine were more > incorrect than the average reader's). The policy is to strive to provide as much details as possible for administrators to determine their exposure but, at the same time, not to make too easy for bad guys to exploit vulnerability. Again, the emphasis is on exposure which does not necessary means that all technical details are necessary. Sounds easy in theory but not always easy in practice. Therefore we appreciate feedback on how are we doing. > Just to make sure I'm understanding this - would the attacker need the > shared secret in order to get the CAS to do anything - i.e. are we talking > about a compromise of (the shared secret from) one Clean Access box in an > admin domain being expandable to all the Clean Access boxes in that admin > domain? Or, is the ability to carry on a TCP conversation sufficient, no > prior access to a shared secret required? Yes, the attacker must know the shared secret. Due to the vulnerability the shared secret is the same for all affected devices. So, if you have affected device then, in a way, you have and know it. > In practice, I suspect that if the attacker has downloaded the hashes, the > damage is done. The best you can realistically expect of typical ops groups > is that they will make the attacker wait a week or two, instead of half an > hour. If you're lucky, you might realize that someone has the hashes and > change all the passwords, and pray your folks didn't just increment the > number at the end of their passwords like usual. > > Not that that's Cisco's problem... We can encourage customers not to do that by enforcing rules when they change passwords. So we can help :) Regards, Gaus ============== Damir Rajnovic <psirt@xxxxxxxxx>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB ============== There are no insolvable problems. The question is can you accept the solution?
Attachment:
pgptRsre2E7kS.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/