CVE Advisory - Partial Disclosure Cisco ISE Cross Site Scripting

Introduction

In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service En-gine (ver. 3.1.0.518-Patch3-22042809).
Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access to, when and how they can do it.
ISE therefore not only guarantees software-defined access and automates network segmentation within IT and OT environments, but also provides a means of visibility into the 'state' of the network.

Advisory

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-twLnpy3M
• https://nvd.nist.gov/vuln/detail/CVE-2022-20959

CVE-2022-20959 - Cross Site Scripting – CWE 79

Description

The cisco-ise-api-framework is vulnerable to Reflected Cross Site Scripting vulnerability via the URL id parameter; if exploited, this vulnerability allows an unauthorised user to inject arbitrary Javascript or HTML code in the victim's browser. Furthermore, this vulnerability can be exploited to remotely and without authentication exploit other flaws found within Cisco ISE.

Owasp Category

A03 – Injection – Cross Site Scripting, or also known as XSS, occurs when an application receives data in an http request and includes it in the response in an unsafe manner, thus allowing clients to inject script and/or HTML code into a request and causing the server to return the script and/or HTML in the response.

This happens because the application is taking untrusted data (in this case, from the client) and reusing it without performing any validation or sanitisation.

If the injected script is returned immediately and not stored permanently within the response, this is known as reflected XSS. The following are examples of what an attacker can achieve by exploiting a reflected XSS:

• Perform any action within the application that the user can perform;
• Display any information that the user is able to view;
• Modify any information that the user can modify;
• Initiate interactions with other users of the application, which will appear to come from the initial victim user.

Mitigation

Version 2.7: https://software.cisco.com/download/home/283801620/type/283802505/release/2.7.0
Version 3.0: https://software.cisco.com/download/home/283801620/type/283802505/release/3.0.0
Version 3.1: https://software.cisco.com/download/home/283801620/type/283802505/release/3.1.0
Version 3.2: https://software.cisco.com/download/home/283801620/type/283802505/release/3.2.0

More updates will be published according to the vendor patching schedule

Timeline

July 2022: Discovered by Davide Virruso of Yoroi.
August 3, 2022: Reported to Cisco Product Security Incident Response Team via email, issue assigned case number PSIRT-0255661654.
August 3, 2022: Cisco assigned the Incident Manager to the case, the issue id is CSCwc62413.
August 9, 2022: Together with Cisco, it was decided to increase the disclosure timeframe by 15 days.
August 11, 2022: Yoroi followed up, asking for progress.
August 12, 2022: Cisco IM provided a comprehensive update on the status of the issue.
September 8, 2022: Cisco IM provides a complete detail on the issue reporting vector, score and sir advisory with fixing dates.
September 19, 2022: Cisco IM starts preparing the advisory by asking for publication details.
September 29, 2022: coordinated disclosure was agreed with the IM for 19 October.
October 7, 2022: Cisco provides the CVE ID
October 19, 2022: Cisco publishes its advisory.
October 25, 2022: Yoroi publishes its advisory.

Reference

• https://www.cisco.com/c/it_it/products/security/identity-services-engine/index.html
• https://owasp.org/www-community/attacks/xss/
• https://spec.openapis.org/oas/v3.1.0
• https://it.wikipedia.org/wiki/Representational_state_transfer
• https://developer.cisco.com/docs/identity-services-engine/latest/#!cisco-ise-api-framework