Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.
An identity-based network access control (NAC) and policy enforcement system, Cisco ISE allows administrators to control endpoint access and manage network devices.
A total of four vulnerabilities have been identified by a researcher in ISE, the exploitation of all requiring an attacker to be a valid and authorized user of the ISE system.
The most severe of these vulnerabilities is CVE-2022-20964, a command injection bug in ISE’s web-based management interface tcpdump feature. The high-severity bug exists because user input is not properly validated.
“An attacker with privileges sufficient to access the tcpdump feature could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands,” Cisco explains in an advisory.
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system. If chained with other flaws, the bug could allow the attacker to elevate privileges to root and potentially take over the vulnerable system.
According to Yoroi security researcher Davide Virruso, who discovered the vulnerabilities, Cisco underscored the impact that CVE-2022-20964 has on confidentiality, integrity, and availability, given that the security flaw can be exploited to gain root shell on the operating system.
By chaining CVE-2022-20964 with CVE-2022-20959, an XSS flaw in ISE that Cisco patched in October, an attacker could easily obtain a remote root shell on the vulnerable system, the security researcher told SecurityWeek.
“It only takes one click of the victim on the link to get a shell as the system root user,” Virruso said.
Tracked as CVE-2022-20965, another bug is described as an access bypass in the web-based management interface. According to Virruso, this access control issue expands the attack surface of the chained exploits, exposing many users to attacks.
By exploiting this vulnerability, “an authenticated, remote attacker is able to perform downloads of files generated by the function, leading to the disclosure of information that he or she should not be able to access,” Yoroi explains.
The remaining security defects – CVE-2022-20966 and CVE-2022-20967 – could lead to XSS attacks. The two flaws were identified in the tcpdump and External RADIUS Server features of the web-based management interface, respectively.
An attacker exploiting these vulnerabilities could store malicious HTML or script code within the application interface and use that code for XSS attacks.
Cisco says that patches addressing these vulnerabilities are planned for the first quarter of 2023, in the form of Cisco ISE releases 3.1p6 and 3.2p1.
The tech giant encourages customers to contact it for hot patches and says that it is also evaluating the possible release of patches for ISE versions 2.7 and 3.0.
Virruso told SecurityWeek that proof-of-concept (PoC) code targeting these vulnerabilities will be published next year. In its advisory, Cisco warns that the PoC will likely become available after patches are released.
Related: Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products
Related: Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products
Related: Citrix Patches Critical Vulnerability in Gateway, ADC

More from Ionut Arghire
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
- Boxx Insurance Raises $14.4 Million in Series B Funding
- Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
- 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
