Cisco has informed customers about two vulnerabilities found by a researcher in its Identity Services Engine product, including a high-severity issue.
Davide Virruso of Yoroi discovered that the web-based management interface of Identity Services Engine is affected by an unauthorized file access flaw that can allow a remote, authenticated attacker to read and delete files on impacted devices. The issue is tracked as CVE-2022-20822.
“An attacker could exploit this vulnerability by sending a crafted HTTP request that contains certain character sequences to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that their configured administrative level should not have access to,” Cisco explained.
Cisco is working on software updates that should address the security hole — updates are expected to become available in November 2022 and January 2023 — but it has informed customers that hot patches may be available on request.
Virruso also identified a cross-site scripting (XSS) vulnerability in the External RESTful Services (ERS) API of Identity Services Engine. The flaw can be exploited to execute arbitrary script code by getting an authenticated user to click on a specially crafted link.
This flaw has been patched in one version and hot fixes may be available on request for other versions.
Cisco noted in the advisories covering these vulnerabilities that it’s not aware of malicious attacks, but said proof-of-concept (PoC) exploit code will be made available after software fixes are released.
“Public reports of the vulnerability, including a description and classification without specific technical details, will become available after publication of this advisory,” Cisco said.
However, Virruso told SecurityWeek that no additional information is being shared at this time.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday told organizations to review Cisco’s advisories and take action if necessary.