Remote Unauthenticated Bug Haunts Cisco ACS Server

Remote Unauthenticated Bug Haunts Cisco ACS Server: There is a critical remotely exploitable vulnerability in Cisco’s Secure Access Control Server which allows a remote attacker to take complete control of a vulnerable server. The bug results from a bad implementation of the EAP-FAST protocol and it affects a number of versions of the Cisco ACS.

The vulnerability is a highly critical one, as an attacker needs no authentication whatsoever and can take over control of the machine running the server. Cisco officials said the flaw only exists when the ACS server is configured as a RADIUS server. The company has issued a patch for the vulnerability, but there are no workarounds that can be implemented before the patch is rolled out.