Cisco Secure Access Control System Java Deserialization Vulnerability

Advisory: CERT.be Advisory #2018-007
Version: 1.0
Reference: CVE-2018-0147
CVSS: 9.8
Impacted software: Cisco Secure Access Control System (ACS) versions prior to release 5.8 patch 9
Type: Remote Code Execution (RCE - administrator/root)

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
Fixed version: release 5.8 patch 9

Risks

CERT.be recommends systems administrators to install the Cisco Secure ACS 5.8.0.32.9 Cumulative Patch.
The vulnerability, tracked as CVE-2018- CVE-2018-0147, has been categorized as “Remote Code Execution (RCE - administrator/root)”. An attacker could exploit this vulnerability by sending a crafted serialized Java object to execute arbitrary commands on the device with root privileges.

Summary

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.
The vulnerability is due to insecure deserialization of user-supplied content by the affected software and is exploitable by sending a crafted serialized Java object which allows the attacker to execute arbitrary commands on the device with root privileges.
System administrators can verify the current version of the software in the web interface or in the ACS CLI.
Cisco Secure ACS Web-based Interface
Log in to the Cisco Secure ACS web-based interface and click the About link in the top right corner of the screen.
Cisco Secure ACS Command-line Interface
The show version command can be issued from the Cisco Secure ACS CLI.

Remediation

This vulnerability is fixed in Cisco Secure ACS 5.8.0.32.9 Cumulative Patch.
The software can be downloaded from the Software Center on Cisco.com by navigating to Products > Security > Network Visibility and Enforcement > Secure Access Control System > Secure Access Control System 5.8.