CVE Advisory - Partial Disclosure Cisco ISE Multiple Vulnerabilities
11/24/2022
Introduction
Initially three vulnerabilities were discovered, which are described here: https://yoroi.company/?s=saguri. Further research prompted the discovery of four other vulnerabilities including a Command Injection, which if exploited allows one to gain root access to the system shell.
Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access to, when and how they can do it.
ISE therefore not only guarantees software defined access and automates network segmentation within IT and OT environments, but also provides a means of visibility into the 'state' of the network.
Advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx
- https://nvd.nist.gov/vuln/detail/CVE-2022-20964
- https://nvd.nist.gov/vuln/detail/CVE-2022-20965
- https://nvd.nist.gov/vuln/detail/CVE-2022-20966
- https://nvd.nist.gov/vuln/detail/CVE-2022-20967
Vulnerabilities
CVE-2022-20964 – Command Injection – CWE-78
| CVE-2022-20964 - Command Injection - CWE-78 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Cisco Identity Services Engine | 2.7 < 3.2 P1 | 6.3 | High |
| OWASP CATEGORY | OWASP CONTROL | ||
| A03 - Injection | WSTG-INPV-12 | ||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | |||
Description
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system.
This vulnerability is due to improper validation of user input within requests as part of the web based management interface tcpdump feature. An attacker with privileges sufficient to access the tcpdump feature could exploit this vulnerability by manipulating requests to the web based management interface to contain operating system commands. A successful exploit could allow the attacker to execute arbitrary operating system commands on the underlying operating system with the privileges of the web services user. The chaining of further issues could allow an attacker with command line access to elevate privileges to root and gain complete control over the system.
It is worth nothing Yoroi's proposed CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L.
Contrarily to the official CVSS vector thus Yoroi rates the Confidentiality, Integrity, and Availability impacts of this vulnerability respectively as High, High and Low.
At Yoroi, we think that the vulnerability's impact should not be understated given the nature of the affected product and the possibility to achieve unauthenticated remote code execution as the root user by chaining multiple vulnerabilities (e.g. CVE-2022-20959 Reflected XSS: see https://yoroi.company/research/cve-advisory-partial-disclosure-cisco-ise-cross-site-scripting/ for more details).
Owasp Category
A03 – Injection – OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.
It is a type of vulnerability that occurs when the contents of a parameter passed as input by the user, is used to execute commands on the OS using mostly native programming language functions. This type of attack is possible when Web application code uses user input in calls to the OS, without first sanitizing the input.
CVE-2022-20965 – Broken Access Control / tcpdump feature – CWE-648
| CVE-2022-20965 - Broken Access Control / tcpdump feature - CWE-648 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Cisco Identity Services Engine | 2.7 < 3.2 P1 | 4.3 | Medium |
| OWASP CATEGORY | OWASP CONTROL | ||
| A01 - Broken Access Control | WSTG-ATHZ-01, WSTG-ATHZ-02 WSTG-ATHZ-03, WSTG-ATHZ-04 |
||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | |||
Description
A vulnerability in the web based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass security restrictions within the web based management interface.
This vulnerability is due to improper access control on a feature within the web based management interface of the affected system. An attacker could exploit this vulnerability by accessing features through direct requests, thus bypassing checks within the application. A successful exploit could allow the attacker to take privileged actions within the web based management interface that should be otherwise restricted.
In contrast to Cisco's vector, where confidentiality is set to None, we believe it should be considered on Low, since an authenticated, remote attacker is able to perform downloads of files generated by the function, leading to the disclosure of information that he or she should not be able to access.
Owasp Category
A01 – Broken Access Control – The access control of an application is responsible for managing the permissions on the data that a user can access, or operations that a user can perform. The Broken Access Control vulnerability leads to unauthorized disclosure of information, modification/deletion of data, or execution of a function outside the user's operational limits.Through these vulnerabilities it is possible:
- Access potentially sensitive information intended for another user.
- Modify data related to another user, manipulating parameters that refer to IDs or usernames.
- Delete files outside of one's competence, both intended for other users and outside the application context.
CVE-2022-20966 – Stored Cross Site Scripting / tcpdump feature – CWE-79
| CVE-2022-20966 - Stored Site Scripting / tcpdump feature - CWE-79 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Cisco Identity Services Engine | 2.7 < 3.2 P1 | 5.4 | Medium |
| OWASP CATEGORY | OWASP CONTROL | ||
| A03 - Injection | WSTG-INPV-02 WSTG-CLNT-03 |
||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | |||
Description
A vulnerability in the web based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web based management interface.
This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface tcpdump feature. An attacker could exploit this vulnerability by creating entries that contain malicious HTML or script code within the application interface. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks.
Owasp Category
A03 – Injection – Cross Site Scripting, or also known as XSS, occurs when an application receives data in an http request and includes it in the response in an unsafe manner, thus allowing clients to inject script and/or HTML code into a request and causing the server to return the script and/or HTML in the response.
This happens because the application is taking untrusted data (in this case, from the client) and reusing it without performing any validation or sanitisation.
If the injected script is returned immediately and not stored permanently within the response, this is known as reflected XSS. The following are examples of what an attacker can achieve by exploiting a reflected XSS:
- Perform any action within the application that the user can perform;
- Display any information that the user is able to view;
- Modify any information that the user can modify;
- Initiate interactions with other users of the application, which will appear to come from the initial victim user.
CVE-2022-20967 – Stored Cross Site Scripting / Ext. RADIUS Server – CWE-79
| CVE-2022-20967 - Stored Site Scripting / Ext. RADIUS Server - CWE-79 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Cisco Identity Services Engine | 2.7 < 3.2 P1 | 4.8 | Medium |
| OWASP CATEGORY | OWASP CONTROL | ||
| A03 - Injection | WSTG-INPV-02 WSTG-CLNT-03 |
||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | |||
Description
A vulnerability in the web-based management interface External RADIUS Server feature of Cisco ISE could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface.
This vulnerability is due to improper validation of input to an application feature before storage within the External RADIUS Server feature of the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks
Owasp Category
03 – Injection – Cross Site Scripting, or also known as XSS, occurs when an application receives data in an http request and includes it in the response in an unsafe manner, thus allowing clients to inject script and/or HTML code into a request and causing the server to return the script and/or HTML in the response.
This happens because the application is taking untrusted data (in this case, from the client) and reusing it without performing any validation or sanitisation.
If the injected script is returned immediately and not stored permanently within the response, this is known as reflected XSS. The following are examples of what an attacker can achieve by exploiting a reflected XSS:
- Perform any action within the application that the user can perform;
- Display any information that the user is able to view;
- Modify any information that the user can modify;
- Initiate interactions with other users of the application, which will appear to come from the initial victim user.
Mitigation
- Version 2.7 and earlier < 3.0 and earlier - Migrate to a fixed release. - Cisco is evaluating fixes
- Version 3.1 – Patch: 3.1p6 (Mar 2023)
- Version 3.2 – Patch: 3.2p1 (Jan 2023)
Hot patches could be available by request for the following Cisco ISE releases and patch levels: 3.1p5 and 3.2. Contact Cisco TAC to make the request.
More updates will be published according to the vendor patching schedule
Timeline
September 2022: Discovered by Davide Virruso of Yoroi.
September 12, 2022: Reported via email to Cisco Product Security Incident Response Team, issue assigned case number PSIRT-0023624786.
September 29, 2022: Cisco assigned the Incident Manager to the case.
October 3, 2022: Cisco changes the Incident Manager previously assigned to the case
October 3, 2022: Yoroi followed up, asking for progress.
October 7, 2022: Cisco provides information on the status of issues
October 12, 2022: coordinated disclosure was agreed with the IM for 16 November.
November 16, 2022: Cisco publishes its advisory.
November 24, 2022: Yoroi releases its advisory.
Reference
- https://www.cisco.com/site/it/it/products/security/identity-services-engine/index.html
- https://owasp.org/www-community/attacks/Command_Injection
- https://owasp.org/www-community/Broken_Access_Control
- https://owasp.org/www-community/attacks/xss/
- https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-troubleshooting
- https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html
