Affected products
Cisco Identity Service Engine (ISE)
Criticality of vulnerability(ies)
CVSS Score: 7.1 and 6.1
Impact
Path traversal vulnerability and cross-site scripting attack
Description
The vulnerabilities, first discovered by Davide Virruso at Yoroi, are classified as “High” (CVE-2022-20822) as well as “Medium” (CVE-2022-20959).
The path traversal vulnerability allows attackers with authenticated user credentials to read or even delete files to which they should not actually have access with the configured access rights.
By sending manipulated HTTP requests with certain strings, attackers can overcome security measures and even take full control, according to CISA.
With a path traversal vulnerability, attackers try to access files that are generally not stored in the web root folder. Here, attackers could theoretically access additional data that is not displayed at all.
The cross-site scripting attack allows attackers to execute arbitrary script code in the user context through insufficient filtering of External RESTful Services (ERS).
The attackers exploit this vulnerability by means of manipulated links that users must actively use.
In a cross-site scripting attack, attackers exploit gaps in web applications to either execute manipulated content in the user context or steal the user’s cookies and session information.
CVEs
CVE-2022-20822
CVE-2022-20959
Mitigation or measure to avoid respectively possible recommendations for action
Updates for the Path Traversal vulnerability will be released for version 3.1 in November 2022 with the 3.1P5 update, and for version 3.2 in January 2023 with the 3.2P1 update. (Version 3.0 is not affected, according to Cisco).
Updates for the cross-site scripting attack will be fixed with versions 2.7P8 and 3.0P7 in February 2023, and 3.1P4 and 3.2P1 as early as January.
Since older versions of ISE are just as vulnerable to the two vulnerabilities but no longer receive updates, Cisco recommends that IT managers upgrade their ISE to a newer version.
References and links
[1] Security Advisory: https://www.heise.de/news/Cisco-ISE-Angreifer-koennten-Kontrolle-uebernehmen-7317442.html?wt_mc=rss.red.security.alert-news.rdf.beitrag.beitrag
[2] Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM
[3] Security Advisory: https://www.helpnetsecurity.com/2022/10/21/cve-2022-20822-cve-2022-20959/