CVE Advisory - Partial Disclosure CISCO ISE Path Traversal
10/21/2022
Introduction
In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809).
Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access to, when and how they can do it.
ISE therefore not only guarantees software-defined access and automates network segmentation within IT and OT environments, but also provides a means of visibility into the 'state' of the network.
Advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM
- https://nvd.nist.gov/vuln/detail/CVE-2022-20822
CVE-2022-20822 – Path Traversal – CWE 22
| CVE-2022-20822 – Path Traversal – CWE 22 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Cisco Identity Services Engine | 3.1 - 3/1P1-P4, 3.2 | 7.1 | High |
| OWASP CATEGORY | OWASP CONTROL | ||
| A01 - Broken Access Control A05 - Security Misconfiguration |
WSTG-ATHZ-01 | ||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N | |||
Description
The local disk management functionality is affected by a Path Traversal vulnerability: by exploiting this vulnerability, an authenticated attacker is able to read and delete arbitrary files contained in the filesystem. This vulnerability affects both the integrity and confidentiality of the system running the Cisco Identity Services Engine.
Owasp Category
A01 – Broken Access Control – An attack of this type aims to gain access to files and directories stored outside the directory tree directly exposed by the web service; this is mainly done by manipulating variables with 'dot-dot-slash' sequences (../) and similar techniques or by using absolute paths.
The kind of attack allows an attacker to navigate through the filesystem to reach sensitive files that are not normally allowed access to, such as configuration files, source code and others.
Mitigation
Version 3.1: https://software.cisco.com/download/home/283801620/type/283802505/release/3.1.0
Version 3.2: https://software.cisco.com/download/home/283801620/type/283802505/release/3.2.0
More updates will be published according to the vendor patching schedule
Timeline
July 2022: Discovered by Davide Virruso of Yoroi.
August 3, 2022: Reported via email to Cisco Product Security Incident Response Team, issue assigned case number PSIRT-0255661654.
August 3, 2022: Cisco assigned the Incident Manager to the case, the issue id is CSCwc62415.
August 9, 2022: Together with Cisco, it was decided to increase the disclosure timeframe by 15 days.
August 11, 2022: Yoroi followed up, asking for progress.
August 12, 2022: Cisco IM provided a comprehensive update on the status of the issue.
September 8, 2022: Cisco IM provides a complete detail on the issue reporting vector, score and sir advisory with fixing dates.
September 19, 2022: Cisco IM starts preparing the advisory by asking for publication details.
September 29, 2022: coordinated disclosure was agreed with the IM for 19 October.
October 7, 2022: Cisco provides the CVE ID
October 19, 2022: Cisco publishes its advisory.
October 21, 2022: Yoroi publishes its advisory.
