=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN464
_____________________________________________________________________

DATE                      : 28/08/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Cisco Clean Access Agent.

======================================================================

Cisco Security Response: NAC Agent Installation Bypass

http://www.cisco.com/warp/public/707/cisco-sr-20060826-nac.shtml

Revision 1.0

For Public Release 2006 August 26 1900 UTC (GMT)

+-------------------------------------------------------------------

Contents
========

     Cisco Response
     Additional Information
     Revision History
     Cisco Security Procedures

+-------------------------------------------------------------------

Cisco Response
==============

This is the Cisco PSIRT response to the statements made by Andreas Gal
and Joachim Feise in their advisory entitled "NAC agent installation
bypass", available at
http://www.securityfocus.com/archive/1/444424/30/0/threaded

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
======================

The goal of the attack described in the advisory is to bypass the
Operating System (OS) detection mechanisms available in the NAC
(Network Admission Control ) appliance software, in order to
prevent the mandatory installation of the Cisco Clean Access (CCA)
Agent. If the CCA Agent is not installed, machines that do not
comply with the configured software policies will not be
automatically patched/upgraded or quarantined on initial access to
the network.

While it is possible to bypass the mandatory agent installation by
following the steps in the advisory, it should be noted that:

1) Users cannot bypass authentication using the approach described
in the advisory. Accordingly, unauthorized users (i.e., users with
no credentials or invalid credentials) will not be able to gain
access to the network using such approach.

2) If an administrator is concerned that users might attempt to
bypass CCA Agent installation by masquerading a Windows machine as
a non-Windows machine (e.g., Linux, MacOSX, etc.), the
administrator can define Network Scanning rules on the CCA Manager
and use network scans to perform additional OS-specific checks.
This process should detect users attempting to masquerade their
Windows machines as non-Windows machines.

Additional information on how to configure Network Scanning rules
can be found in the Tech Note entitled Clean Access - Use the
Network Scanning Feature to Detect Users Who Attempt to Bypass
Agent Checks.

3) If a malicious user installs a personal firewall or similar
software for the purpose of making the network scan time out, CCA
provides options to quarantine such malicious users. Following such
quarantine, administrators can then determine if users are
attempting to masquerade their OS. Alternatively, network
administrators can ask users to configure their personal firewalls
to allow any traffic sourced from the Clean Access Server (CAS) IP
address, so that it can successfully perform network scans.

4) Customers can also manually install either the CCA Agent
software or the CCA Agent Installation stub (available in CCA
version 4.0.0 and above) on end-user Windows machines, instead of
using the OS detection routines. This will completely prevent the
agent installation bypass described in the advisory from Andreas
Gal and Joachim Feise.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT
IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE
THIS DOCUMENT AT ANY TIME.

Revision History
================

+--------------------------------------+
| Revision |                | Initial  |
| 1.0      | 2006-August-26 | public   |
|          |                | release. |
+--------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

- -------------------------------------------------------------------

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================