CVE-2006-4097 (GCVE-0-2006-4097)

Vulnerability from cvelistv5 – Published: 2007-01-08 23:00 – Updated: 2024-08-07 18:57

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

GSD-2006-4097

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2006-4097

Aliases

CVE-2006-4097

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2006-4097",
    "description": "Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet.  NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute.",
    "id": "GSD-2006-4097"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2006-4097"
      ],
      "details": "Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet.  NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute.",
      "id": "GSD-2006-4097",
      "modified": "2023-12-13T01:19:51.534438Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2006-4097",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet.  NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "cisco-acs-csadmin-dos(31334)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31334"
          },
          {
            "name": "23629",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/23629"
          },
          {
            "name": "21900",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/21900"
          },
          {
            "name": "VU#443108",
            "refsource": "CERT-VN",
            "url": "http://www.kb.cert.org/vuls/id/443108"
          },
          {
            "name": "ADV-2007-0068",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2007/0068"
          },
          {
            "name": "1017475",
            "refsource": "SECTRACK",
            "url": "http://securitytracker.com/id?1017475"
          },
          {
            "name": "36125",
            "refsource": "OSVDB",
            "url": "http://osvdb.org/36125"
          },
          {
            "name": "20070105 Multiple Vulnerabilities in Cisco Secure Access Control Server",
            "refsource": "CISCO",
            "url": "http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cisco:secure_access_control_server:4.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cisco:secure_access_control_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2006-4097"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet.  NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "21900",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/21900"
            },
            {
              "name": "20070105 Multiple Vulnerabilities in Cisco Secure Access Control Server",
              "refsource": "CISCO",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml"
            },
            {
              "name": "1017475",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://securitytracker.com/id?1017475"
            },
            {
              "name": "23629",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/23629"
            },
            {
              "name": "VU#443108",
              "refsource": "CERT-VN",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.kb.cert.org/vuls/id/443108"
            },
            {
              "name": "36125",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://osvdb.org/36125"
            },
            {
              "name": "ADV-2007-0068",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2007/0068"
            },
            {
              "name": "cisco-acs-csadmin-dos(31334)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31334"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2018-10-30T16:25Z",
      "publishedDate": "2006-12-31T05:00Z"
    }
  }
}

FKIE_CVE-2006-4097

Vulnerability from fkie_nvd - Published: 2006-12-31 05:00 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://osvdb.org/36125
cve@mitre.org	http://secunia.com/advisories/23629	Vendor Advisory
cve@mitre.org	http://securitytracker.com/id?1017475
cve@mitre.org	http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml	Patch, Vendor Advisory
cve@mitre.org	http://www.kb.cert.org/vuls/id/443108	US Government Resource
cve@mitre.org	http://www.securityfocus.com/bid/21900
cve@mitre.org	http://www.vupen.com/english/advisories/2007/0068	Vendor Advisory
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/31334
af854a3a-2127-422b-91ae-364da2661108	http://osvdb.org/36125
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/23629	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securitytracker.com/id?1017475
af854a3a-2127-422b-91ae-364da2661108	http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/443108	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/21900
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2007/0068	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/31334

Impacted products

	Vendor	Product	Version
	cisco	secure_access_control_server	*
	cisco	secure_access_control_server	4.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:secure_access_control_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0CF3FC5-ACD6-49C7-930E-A8642444F9A3",
              "versionEndIncluding": "4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:secure_access_control_server:4.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "3C515B92-10F2-449C-A671-D67C6CA7AF01",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet.  NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades no especificadas en el servicio CSRadius de Cisco Secure Access Control Server (ACS) para Windows anetrior a 4.1 y ACS Solution Engine anterior a 4.1 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) mediante un paquete de solicitud de acceso RADIUS (RADIUS Access-Request) manipulado."
    }
  ],
  "id": "CVE-2006-4097",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2006-12-31T05:00:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://osvdb.org/36125"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/23629"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securitytracker.com/id?1017475"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/443108"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/21900"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/0068"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31334"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/36125"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/23629"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securitytracker.com/id?1017475"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/443108"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/21900"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/0068"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31334"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-200612-0484

Vulnerability from variot - Updated: 2025-04-10 23:07

Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet. NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute. Versions prior to 4.1 are vulnerable to these issues. Two of the vulnerabilities may permit arbitrary code execution after exploitation of the specified vulnerability. This vulnerability is also susceptible to a stack overflow condition. This vulnerability is also susceptible to a stack overflow condition.

Cisco has made free software available to address this issue for affected customers.

We would like to thank CESG's Vulnerability Research Group and National Infrastructure Security Co-ordination Centre (NISCC) for reporting several of these vulnerabilities to Cisco Systems.

We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml. The following example would be seen when running Cisco Secure ACS software version 4.0(1) Build 27:

CiscoSecure ACS
ACS software version 4.0(1) Build 27:
Copyright information is seen underneath this information.

Products Confirmed Not Vulnerable +--------------------------------

Cisco Secure ACS for Unix (CSU).
Cisco CNS Access Registrar (CAR).
Cisco Secure ACS server for Windows version 4.1(X) or later.
Cisco Secure ACS server solution Engine version 4.1(X) or later.

CSAdmin is the service that provides the web server for the ACS web administration interface.

CSRadius is the service that communicates between the CSAuth module (the authentication and authorization service) and the access device that is requesting authentication and authorization services.

Specially Crafted HTTP GET Request Vulnerability: +------------------------------------------------

This vulnerability is exploited by processing a specially crafted HTTP GET request. Upon successful exploitation, the CSAdmin service may crash. This vulnerability is also susceptible to a stack based overflow condition which may allow arbitrary code execution if successfully exploited.

If this vulnerability is successfully exploited, the CSAdmin service will require a manual restart of the service. Normal Authentication, Authorization and Accounting (AAA) processing will continue. With Cisco Secure ACS for Windows you can start or stop CSAdmin from the Windows Control Panel. Upon successful exploitation, the CSRadius service may crash and an exception trap error will be generated for the CSRadius service within the Windows Event Viewer System log. This vulnerability is also susceptible to a stack based overflow condition which may allow arbitrary code execution if successfully exploited.

This vulnerability is documented in Cisco Bug ID:

CSCse18278 -- Stack based overflow within CSRadius when processing Accounting-Request. These vulnerabilities will not allow arbitrary code execution after successful exploitation. An exception trap error will be recorded within the CSRadius log file and an error will be seen for the CSRadius service within the Windows Event Viewer System log after successful exploitation.

These vulnerabilities are documented in Cisco Bug IDs:

CSCse18250 -- CSRadius Service crashes when processing a specially crafted Access-Request packet. (CVE-2006-4097)
CSCeg04788 -- CSRadius Service crashes when processing a specially crafted Access-Request packet.
CSCeg04666 -- CSRadius Service crashes when processing a specially crafted Access-Request packet.

Vulnerability Scoring Details

Cisco is providing scores for the vulnerabilities in this advisory based Con the ommon Vulnerability Scoring System (CVSS).

Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.

CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss.

Cisco Bug IDs:

CSCsd96293 - Stack based overflow within CSAdmin when processing HTTP GET request +---------------------------------------

CVSS Base Score - 10

Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal

CVSS Temporal Score - 8.3