CVE Advisory - Partial Disclosure Cisco ISE Broken Access Control
11/10/2022
Introduction
Through the internal project called Saguri, we started with the analysis of the Cisco Identity Service Engine - 3.1.0.518-Patch3-22042809, the Cisco ISE is a useful tool in the management of one's own network and not only, it allows the implementation and application in a dynamic and automated way of security and 'management' policies, simplifying in fact the distribution of a network access control; ISE guarantees and allows the intervention on: Who can access our network, What they can access, How they can access it, When and how they can access it. ISE therefore not only guarantees software-defined access and au-tomates network segmentation within IT and OT environments, but also provides a means of visibility into the 'state' of the network.
Advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx
- https://nvd.nist.gov/vuln/detail/CVE-2022-20956
CVE-2022-20956 – Broken Access Control – CWE 648
| CVE-2022-20956 - Broken Access Control - CWE 648 | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Cisco Identity Services Engine | 3.1 / 3.2 | 7.1 | High |
| OWASP CATEGORY | OWASP CONTROL | ||
| A01 - Broken Access Control | WSTG-ATHZ-01, WSTG-ATHZ-02 WSTG-ATHZ-03, WSTG-ATHZ-04 |
||
| AFFECTED ENDPOINT - AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N | |||
Description
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access system files.
This vulnerability is due to improper access control in the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to, Including the exploitation of the Path Traversal vulnerability that plagues versions: 3.1 - 3/1P1-P4, 3.2 (https://yoroi.company/research/cve-advisory-cisco-ise-path-traversal/).
Owasp Category
A01 – Broken Access Control – The access control of an application is responsible for managing the permissions on the data that a user can access, or operations that a user can perform. The Broken Access Control vulnerability leads to unauthorized disclosure of information, modification/deletion of data, or execution of a function outside the user's operational limits.
Through these vulnerabilities it is possible:
- Access potentially sensitive information intended for another user.
- Modify data related to another user, manipulating parameters that refer to IDs or usernames.
- Delete files outside of one's competence, both intended for other users and outside the application context.
Mitigation
At the moment, CISCO has not yet released mitigation on this issue.
Cisco ISE releases 3.1P4 and 3.2 reduce the impact of this vulnerability by preventing files from being downloaded. The files can still be listed and deleted.
More updates will be published according to the vendor patching schedule
Timeline
July 2022: Discovered by Davide Virruso of Yoroi.
August 3, 2022: Reported to Cisco Product Security Incident Response Team via email, issue assigned case number PSIRT-0255661654.
August 3, 2022: Cisco assigned the Incident Manager to the case, the issue id is CSCwc62419.
August 9, 2022: Together with Cisco, it was decided to increase the disclosure timeframe by 15 days.
August 11, 2022: Yoroi followed up, asking for progress.
August 12, 2022: IM provided a comprehensive update on the status of the issue.
September 7, 2022: the IM responsible for this problem changes as it is duplicate of CSCwb75965.
September 12, 2022: the IM starts preparing the advisory by asking for publication details.
September 29, 2022: coordinated disclosure was agreed with the IM for 19 October.
October 6, 2022: Cisco provides the CVE ID CVE-2022-20962
October 14, 2022: Extension of the disclosure timeline (2 weeks), due to issues related to understanding the vulnerability; November 2 is agreed upon as the disclosure date
October 19, 2022: Cisco provides the new information, by default including CVE and CVSS Carrier.
November 2, 2022: Cisco publishes its advisory.
November 10, 2022: Yoroi publishes its advisory
