CVE-2013-3466

The EAP-FAST authentication module in Cisco Secure Access Control Server (ACS) 4.x before 4.2.1.15.11, when a RADIUS server configuration is enabled, does not properly parse user identities, which allows remote attackers to execute arbitrary commands via crafted EAP-FAST packets, aka Bug ID CSCui57636.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Secure_access_control_server	Cisco	*	4.2.1.15.10 (including)
Secure_access_control_server	Cisco	4.2.1.15.0 (including)	4.2.1.15.0 (including)
Secure_access_control_server	Cisco	4.2.1.15.1 (including)	4.2.1.15.1 (including)
Secure_access_control_server	Cisco	4.2.1.15.2 (including)	4.2.1.15.2 (including)
Secure_access_control_server	Cisco	4.2.1.15.3 (including)	4.2.1.15.3 (including)
Secure_access_control_server	Cisco	4.2.1.15.4 (including)	4.2.1.15.4 (including)
Secure_access_control_server	Cisco	4.2.1.15.6 (including)	4.2.1.15.6 (including)
Secure_access_control_server	Cisco	4.2.1.15.7 (including)	4.2.1.15.7 (including)
Secure_access_control_server	Cisco	4.2.1.15.8 (including)	4.2.1.15.8 (including)
Secure_access_control_server	Cisco	4.2.1.15.9 (including)	4.2.1.15.9 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-3466
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

References

CVE-2013-3466

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References