Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.

An identity-based network access control (NAC) and policy enforcement system, Cisco ISE allows administrators to control endpoint access and manage network devices.

A total of four vulnerabilities have been identified by a researcher in ISE, the exploitation of all requiring an attacker to be a valid and authorized user of the ISE system.

The most severe of these vulnerabilities is CVE-2022-20964, a command injection bug in ISE’s web-based management interface tcpdump feature. The high-severity bug exists because user input is not properly validated.

“An attacker with privileges sufficient to access the tcpdump feature could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands,” Cisco explains in an advisory.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system. If chained with other flaws, the bug could allow the attacker to elevate privileges to root and potentially take over the vulnerable system.

According to Yoroi security researcher Davide Virruso, who discovered the vulnerabilities, Cisco underscored the impact that CVE-2022-20964 has on confidentiality, integrity, and availability, given that the security flaw can be exploited to gain root shell on the operating system.

By chaining CVE-2022-20964 with CVE-2022-20959, an XSS flaw in ISE that Cisco patched in October, an attacker could easily obtain a remote root shell on the vulnerable system, the security researcher told SecurityWeek.

“It only takes one click of the victim on the link to get a shell as the system root user,” Virruso said.

Tracked as CVE-2022-20965, another bug is described as an access bypass in the web-based management interface. According to Virruso, this access control issue expands the attack surface of the chained exploits, exposing many users to attacks.

By exploiting this vulnerability, “an authenticated, remote attacker is able to perform downloads of files generated by the function, leading to the disclosure of information that he or she should not be able to access,” Yoroi explains.

The remaining security defects – CVE-2022-20966 and CVE-2022-20967 – could lead to XSS attacks. The two flaws were identified in the tcpdump and External RADIUS Server features of the web-based management interface, respectively.

An attacker exploiting these vulnerabilities could store malicious HTML or script code within the application interface and use that code for XSS attacks.

Cisco says that patches addressing these vulnerabilities are planned for the first quarter of 2023, in the form of Cisco ISE releases 3.1p6 and 3.2p1.

The tech giant encourages customers to contact it for hot patches and says that it is also evaluating the possible release of patches for ISE versions 2.7 and 3.0.

Virruso told SecurityWeek that proof-of-concept (PoC) code targeting these vulnerabilities will be published next year. In its advisory, Cisco warns that the PoC will likely become available after patches are released.

Related: Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products

Related: Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products

Related: Citrix Patches Critical Vulnerability in Gateway, ADC