CyberInsights
The blog about your IT security

CISCO Identity Service Engine vulnerability (ISE)

Affected products

Cisco Identity Service Engine (ISE)

Criticality of vulnerability(ies)

CVSS Score: 7.1 and 6.1

Impact

Path traversal vulnerability and cross-site scripting attack

Description

The vulnerabilities, first discovered by Davide Virruso at Yoroi, are classified as “High” (CVE-2022-20822) as well as “Medium” (CVE-2022-20959).

The path traversal vulnerability allows attackers with authenticated user credentials to read or even delete files to which they should not actually have access with the configured access rights.

By sending manipulated HTTP requests with certain strings, attackers can overcome security measures and even take full control, according to CISA.

With a path traversal vulnerability, attackers try to access files that are generally not stored in the web root folder. Here, attackers could theoretically access additional data that is not displayed at all.

The cross-site scripting attack allows attackers to execute arbitrary script code in the user context through insufficient filtering of External RESTful Services (ERS).

The attackers exploit this vulnerability by means of manipulated links that users must actively use.

In a cross-site scripting attack, attackers exploit gaps in web applications to either execute manipulated content in the user context or steal the user’s cookies and session information.

CVEs

CVE-2022-20822
CVE-2022-20959

Mitigation or measure to avoid respectively possible recommendations for action

Updates for the Path Traversal vulnerability will be released for version 3.1 in November 2022 with the 3.1P5 update, and for version 3.2 in January 2023 with the 3.2P1 update. (Version 3.0 is not affected, according to Cisco).

Updates for the cross-site scripting attack will be fixed with versions 2.7P8 and 3.0P7 in February 2023, and 3.1P4 and 3.2P1 as early as January.

Since older versions of ISE are just as vulnerable to the two vulnerabilities but no longer receive updates, Cisco recommends that IT managers upgrade their ISE to a newer version.

References and links

[1] Security Advisory: https://www.heise.de/news/Cisco-ISE-Angreifer-koennten-Kontrolle-uebernehmen-7317442.html?wt_mc=rss.red.security.alert-news.rdf.beitrag.beitrag
[2] Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM
[3] Security Advisory: https://www.helpnetsecurity.com/2022/10/21/cve-2022-20822-cve-2022-20959/

Follow us on

Subscribe to our newsletter on the topic of cyber security

With our Cyberletter you are always up to date - about vulnerability reports, current IT threat scenarios and other relevant news from the field of cyber security and data security.

With the registration I accept the handling of my personal data (§13 GDPR) and agree to the privacy policy.