The issue has been addressed with the release of version 4.2.1.15.11

Aug 30, 2013 09:51 GMT  ·  By

Cisco has patched a vulnerability in Cisco Secure Access Control Server (ACS) that could have been leveraged by an unauthenticated remote attacker to execute arbitrary commands and take complete control of the affected server.

“The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server,” reads Cisco’s advisory.

The affected versions are Cisco Secure Access Control Server 4.0 through 4.2.1.15.

There are no known workarounds for this security hole. Customers of affected ACS versions are advised to install version 4.2.1.15.11, which addresses the vulnerability.

Before deploying the update, customers are advised to check the software for feature set compatibility and known issues that are specific to their environments.