=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN015
_____________________________________________________________________

DATE                : 15/01/2014

HARDWARE PLATFORM(S): Cisco Secure Access Control System.

OPERATING SYSTEM(S): Cisco Secure ACS software prior to release 5.5.

======================================================================
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs
______________________________________________________________________

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access
Control System

Advisory ID: cisco-sa-20140115-csacs

Revision 1.0

For Public Release 2014 January 15 12:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Secure Access Control System (ACS) is affected by the following
vulnerabilities:

    Cisco Secure ACS RMI Privilege Escalation Vulernability
    Cisco Secure ACS RMI Unauthenticated User Access Vulnerability
    Cisco Secure ACS Operating System Command Injection Vulnerability

Cisco Secure ACS uses the Remote Method Invocation (RMI) interface for
internode communication using TCP ports 2020 and 2030.

These vulnerabilities are independent of each other; a release that is
affected by one of the vulnerabilities may not be affected by the other.

Cisco has released free software updates that address these
vulnerabilities. This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs

Network-based mitigations for the RMI-based vulnerabilities are outlined
in the Cisco Applied Mitigation Bulletin: Identifying and Mitigating the
Multiple Vulnerabilities in Cisco Secure Access Control System
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32120


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================