VAR-200005-0117
Vulnerability from variot - Updated: 2022-05-17 01:46A number of vulnerabilities exist in the TACACS+ protocol. These are part of the protocol, and as such do not affect only those products listed as being vulnerable, but any implementation of TACACS+, both on the client and on the server side. 1) Integrity Checking TACACS+ does not use any form of integrity checking to ensure a TACACS+ packet has not been tampered with. Due to the nature of its encryption mechanism, an attacker could potentially alter a packet by flipping bits. One example cited is the possibility of an attacker flipping a single bit to alter an accounting packet, changing the elapsed_time being reported from 9000 to 1000. 2) Vulnerability to Replay TACACS+ has no protection against replay attacks. So long as a packet has the correct TACACS+ sequence number, it will be accepted. As TACACS+ sequence numbers start at 1, the server will always process packets with the sequence number of 1. The description of this vulnerability noted that this is most easily used against accounting packets, as they are single packet transactions. 3) Session ID collision The encryption mechanism for TACACS+ depends heavily on a unique session_id for each session. If multiple sessions get the same session_id and seq_no, it can become vulnerable to a frequency analysis attack. In addition, if plaintext is known in one packet, it is trivial to decrypt the corresponding portion of the other packet containing the same sequence and session id. It is possible to get a TACACS+ server to encrypt a reply packet using a chosen session_id. This makes it possible to compromise the encryption of packets from the server to client. 4) Session ID randomness Due to the length of the session_id, and an inability to prevent id collision across reboots and multiple servers, session id's will eventually be reused, which can result in the decryption of packets. For an ISP handling 20,000 dialup sessions a day, there could be over 100,000 session_id collisions in a year. 5) Lack of padding A lack of padding of fields in the protocol can reveal the length of these unpadded fields. This could result in revealing the length of a user password. 6) MD5 context leak A theoretical vulnerability exists whereby part of a packet may be decrypted, due to the presence of certain bytes. These attacks all require the attacker be present on the network where these transaction are taking place; in some cases, the attack may need to be on a machine or router seperating the client from the server. As such, while very real vulnerabilities, using them in a real world situation may be difficult.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200005-0117",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "tac plus alpha",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0.3"
},
{
"model": "tac plus alpha",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "12.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "12.0"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "11.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "11.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "11.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "11.0"
}
],
"sources": [
{
"db": "BID",
"id": "1294"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "These vulnerabilities were posted to the Bugtraq mailing list on May 30, 2000 by Solar Designer \u003csolar@false.com\u003e",
"sources": [
{
"db": "BID",
"id": "1294"
}
],
"trust": 0.3
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A number of vulnerabilities exist in the TACACS+ protocol. These are part of the protocol, and as such do not affect only those products listed as being vulnerable, but any implementation of TACACS+, both on the client and on the server side.\n1) Integrity Checking\nTACACS+ does not use any form of integrity checking to ensure a TACACS+ packet has not been tampered with. Due to the nature of its encryption mechanism, an attacker could potentially alter a packet by flipping bits. One example cited is the possibility of an attacker flipping a single bit to alter an accounting packet, changing the elapsed_time being reported from 9000 to 1000.\n2) Vulnerability to Replay\nTACACS+ has no protection against replay attacks. So long as a packet has the correct TACACS+ sequence number, it will be accepted. As TACACS+ sequence numbers start at 1, the server will always process packets with the sequence number of 1. The description of this vulnerability noted that this is most easily used against accounting packets, as they are single packet transactions.\n3) Session ID collision\nThe encryption mechanism for TACACS+ depends heavily on a unique session_id for each session. If multiple sessions get the same session_id and seq_no, it can become vulnerable to a frequency analysis attack. In addition, if plaintext is known in one packet, it is trivial to decrypt the corresponding portion of the other packet containing the same sequence and session id. It is possible to get a TACACS+ server to encrypt a reply packet using a chosen session_id. This makes it possible to compromise the encryption of packets from the server to client.\n4) Session ID randomness\nDue to the length of the session_id, and an inability to prevent id collision across reboots and multiple servers, session id\u0027s will eventually be reused, which can result in the decryption of packets. For an ISP handling 20,000 dialup sessions a day, there could be over 100,000 session_id collisions in a year.\n5) Lack of padding\nA lack of padding of fields in the protocol can reveal the length of these unpadded fields. This could result in revealing the length of a user password.\n6) MD5 context leak\nA theoretical vulnerability exists whereby part of a packet may be decrypted, due to the presence of certain bytes.\nThese attacks all require the attacker be present on the network where these transaction are taking place; in some cases, the attack may need to be on a machine or router seperating the client from the server. As such, while very real vulnerabilities, using them in a real world situation may be difficult.",
"sources": [
{
"db": "BID",
"id": "1294"
}
],
"trust": 0.3
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "1294",
"trust": 0.3
}
],
"sources": [
{
"db": "BID",
"id": "1294"
}
]
},
"id": "VAR-200005-0117",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2022-05-17T01:46:11.656000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.3,
"url": "http://www.openwall.com/advisories"
}
],
"sources": [
{
"db": "BID",
"id": "1294"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "1294"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2000-05-30T00:00:00",
"db": "BID",
"id": "1294"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2000-05-30T00:00:00",
"db": "BID",
"id": "1294"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "1294"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "TACACS+ Protocol Flaws Vulnerabilities",
"sources": [
{
"db": "BID",
"id": "1294"
}
],
"trust": 0.3
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "1294"
}
],
"trust": 0.3
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.