Cisco patch plugs password security flaws

Cisco has issued a patch to address a security flaw which could allow an attacker to bypass password protections in its Access Control System (ACS) platform.

The company said that the update would install a revision to the ACS platform, specifically the handling of the Tacas+ security protocol.

Cisco said that the flaw would potentially allow an attacker to use a specific set of characters in combination with a valid account name to cause a crash which lets the attacker bypass the authentication process and access the target system.

The company noted that while an attacker would need a valid user name, the technique could be used on any system with the vulnerable component.

Cisco is making the patch available as a free update. Both the company and third-party security researchers are advising administrators to install the fix as soon as possible.

"Exploitation is likely very easy," said Sans researcher Mark Baggett.

"If you are using Cisco ACS for authentication you should probably take note of this announcement."

The update is the latest in what is shaping up to be a busy month for administrators. Earlier in the week Adobe issued an update to address multiple flaws in its Flash Player media platform. Google also posted updates for its Chrome browser.

Microsoft is also slated to issue updates for its products next week when the company posts its monthly security update.