Cisco ACS unauthorized password change vulnerability

A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password.

Successful exploitation requires the user account to be defined on the internal identity store.

This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password.

The following Cisco Secure ACS versions are affected:

• Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed
• Cisco Secure ACS version 5.2 without any patches installed
• Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed.

Cisco has released free software updates that address this vulnerability, there is no workaround.