Security
Headlines
HeadlinesLatestCVEs

Headline

Cisco warns of ISE vulnerability with no fixed release or workaround

Categories: Exploits and vulnerabilities Categories: News Tags: Cisco

Tags: Identity Services Engine

Tags: AnyConnect VPN server

Tags: CVE-2022-20822

Tags: CVE-2022-20959

Tags: CVE-2022-20933

Tags: input validation

Cisco’s latest security advisory includes a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an attacker to read and delete files.

(Read more…)

The post Cisco warns of ISE vulnerability with no fixed release or workaround appeared first on Malwarebytes Labs.

Malwarebytes
#sql#xss#vulnerability#web#cisco#dos#auth#ssl

Posted: October 24, 2022 by

Cisco has published a security advisory for a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an authenticated, remote attacker to read and delete files on an affected device. The bug, with a CVSS score of 7.1 has no patch and no workaround. Cisco plans to provide a fixed release for version 3.1 in November, and a fixed release for version 3.2 in January, 2023. Release 3.0 and earlier are not vulnerable.

Cisco advises that hot fixes are available on request.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most urgent patch in this update is aimed at CVE-2022-20822.

CVE-2022-20822 is a path traversal vulnerability in the web-based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker. Path traversal vulnerabilities allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like …/ into file or directory paths.

An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that they should not have access to.

Also in the advisory

The Cisco advisories page mentions another vulnerability in the ISE. The CVE-2022-20959 vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by persuading an authenticated administrator of the web-based management interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

And then there is a vulnerability worth noting because it is rated as high impact. CVE-2022-20933 is a vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart.

A patch is available for both.

Insufficient validation

The clear pattern here then it is insufficient validation of input on remotely accessible services.

Missing or improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection. While customers are entitled to expect proper input validation, it is a problem that haunts all web interfaces, and has done for decades.

So, instead of relying on the input validation provided by the vendor, users should consider adding extra measures, such as only allowing connections from trusted IP addresses, a limited numbers of authentication requests, and disabling access from the internet where it’s appropriate.

RELATED ARTICLES

Related news

CVE-2022-20822: Cisco Security Advisory: Cisco Identity Services Engine Unauthorized File Access Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read and delete files on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains certain character sequences to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that their configured administrative level should not have access to. Cisco plans to release software updates that address this vulnerability.

CVE-2022-20933: Cisco Security Advisory: Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention. Cisco Meraki has released software updates that address this vulnera...