Logo
Hamburger Menu Icon
Yoroi Background

CVE Advisory - Partial Disclosure CISCO ISE Path Traversal

Introduction

In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809).

Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access to, when and how they can do it.

ISE therefore not only guarantees software-defined access and automates network segmentation within IT and OT environments, but also provides a means of visibility into the 'state' of the network.

Advisory

CVE-2022-20822 – Path Traversal – CWE 22

CVE-2022-20822 – Path Traversal – CWE 22
PRODUCT LINE VERSION SCORE IMPACT
Cisco Identity Services Engine 3.1 - 3/1P1-P4, 3.2 7.1 High
OWASP CATEGORY OWASP CONTROL
A01 - Broken Access Control
A05 - Security Misconfiguration
WSTG-ATHZ-01
AFFECTED ENDPOINT - AFFACTED PARAMETER
omitted
PREREQUISITES
No Special Configuration is required to reproduce the issue
CVSS VECTOR
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Description

The local disk management functionality is affected by a Path Traversal vulnerability: by exploiting this vulnerability, an authenticated attacker is able to read and delete arbitrary files contained in the filesystem. This vulnerability affects both the integrity and confidentiality of the system running the Cisco Identity Services Engine.

Owasp Category

A01 – Broken Access Control – An attack of this type aims to gain access to files and directories stored outside the directory tree directly exposed by the web service; this is mainly done by manipulating variables with 'dot-dot-slash' sequences (../) and similar techniques or by using absolute paths.
The kind of attack allows an attacker to navigate through the filesystem to reach sensitive files that are not normally allowed access to, such as configuration files, source code and others.

Mitigation


Version 3.1: https://software.cisco.com/download/home/283801620/type/283802505/release/3.1.0
Version 3.2: https://software.cisco.com/download/home/283801620/type/283802505/release/3.2.0

More updates will be published according to the vendor patching schedule

Timeline

July 2022: Discovered by Davide Virruso of Yoroi.
August 3, 2022: Reported via email to Cisco Product Security Incident Response Team, issue assigned case number PSIRT-0255661654.
August 3, 2022: Cisco assigned the Incident Manager to the case, the issue id is CSCwc62415.
August 9, 2022: Together with Cisco, it was decided to increase the disclosure timeframe by 15 days.
August 11, 2022: Yoroi followed up, asking for progress.
August 12, 2022: Cisco IM provided a comprehensive update on the status of the issue.
September 8, 2022: Cisco IM provides a complete detail on the issue reporting vector, score and sir advisory with fixing dates.
September 19, 2022: Cisco IM starts preparing the advisory by asking for publication details.
September 29, 2022: coordinated disclosure was agreed with the IM for 19 October.
October 7, 2022: Cisco provides the CVE ID
October 19, 2022: Cisco publishes its advisory.
October 21, 2022: Yoroi publishes its advisory.


Reference

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram