Cisco Identity Services Engine (ISE) is a platform that provides identity-based environmental awareness. It collects real-time information from networks, users, and devices to implement policies and monitor the network. Cisco ISE can detect attacks on the network and reduce the pressure of complex access management.
On October 11, Cisco released a security update to fix important vulnerabilities in Cisco ISE, including privilege escalation. Here are the details of the vulnerabilities:
Vulnerability Details
Source:
CVE-2021-1594 CVSS Score: 7.5 Severity: High
A vulnerability exists in the REST API of Cisco Identity Services Engine (ISE) that could allow an unauthenticated remote attacker to execute command injection attacks and escalate privileges to Root.
This vulnerability is due to insufficient input validation on specific API endpoints. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting and modifying communication between specific nodes of different ISE roles. A successful exploit could allow the attacker to run arbitrary commands with Root privileges on the underlying operating system. To exploit this vulnerability, the attacker needs to decrypt https traffic between two ISE roles on different nodes.
Affected Products
This vulnerability affects Cisco devices running vulnerable versions of Cisco ISE in a distributed deployment.
To determine if Cisco ISE is deployed on a device, follow these steps:
For devices running Cisco ISE version 3.0 or higher, go to the Cisco ISE GUI and click on the menu icon. (This step is not necessary for devices running versions earlier than 3.0.)
Select Administration > System > Deployment.
Click on Deployment in the left navigation pane to view all Cisco ISE nodes as part of the deployment.
If the value under Role(s) is STANDALONE, the device is in a standalone deployment and not affected by this vulnerability. If there is any value other than STANDALONE under Role(s), the device is in a distributed deployment and is affected by this vulnerability.
Cisco ISE 2.4 upgrade can be fixed with version
Cisco ISE 2.6 upgrade with patch 11 can be fixed
Cisco ISE 2.7 upgrade with patch 5 can be fixed
Cisco ISE 3.0 upgrade with patch 4 can be fixed
For more information on vulnerabilities and upgrades, please visit the official website:
https://Tools.cisco.com/security/center/publicationlisting.x
