Skip to main content

Cisco's NAC gets hacked

Scientists in Germany are reported to have developed a utility that allows an unauthorised PC to disguise itself as a legitimate client in a Cisco Network Admission Control (NAC) environment.

The result, speakers at the Black Hat Europe conference said late last week, is that Cisco's end-point security strategy is effectively by-passed.

The researchers - from ERNW, a German security and penetration testing firm - have released their utility tool, which is called "NAC Credential Spoofing" on to the Usenet.

ERNW says it has informed Cisco of the vulnerabilities and the existence of its utility, but the company has so far not responded.

According to newswire reports, the utility stems a couple of "design flaws" that ERNW discovered in Cisco's NAC. The flaws were found in the communication between the client and Cisco's Admission Control Server (ACS).

The first flaw centres on a lack of authentication between the client and the ACS server, whilst the second problem is that there is no way to verify that the client is telling the truth about its configuration.

This means, says ERNW, that a client can be set up to lie to the policy server about its antivirus capabilities etc.

To prove their claim, ERNW told attendees at the Amsterdam event that they had reverse-engineered the Cisco Trust Agent (CTA) and created a tool that lets an end-station spoof a legitimate device, responding to the policy server's questions with all the right answers.

The researchers even claim to have manufactured a Trend Micro Devices plug-in that fooled the Cisco ACS into believing that the client was kitted out with Trend Micro software....