Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3818.3
Cisco Identity Services Engine Vulnerabilities
23 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Identity Services Engine
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27122 CVE-2020-26083 CVE-2020-3551
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxs-pkjCmq9d
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-euRCwX9
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-fNZX8hHj
Revision History: December 23 2020: Vendor updated advisory cisco-sa-ise-xss-euRCwX9
November 24 2020: Vendor issued minor updates
November 5 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Identity Services Engine Cross-Site Scripting Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ise-xxs-pkjCmq9d
First Published: 2020 November 4 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvu84773
CVE-2020-26083
CWE-79
Summary
o A vulnerability in the web-based management interface of Cisco Identity
Services Engine (ISE) could allow an authenticated, remote attacker with
administrative credentials to conduct a cross-site scripting (XSS) attack
against a user of the interface.
The vulnerability exists because the web-based management interface does
not properly validate user-supplied input. An attacker could exploit this
vulnerability by injecting malicious code into specific pages of the
interface. A successful exploit could allow the attacker to execute
arbitrary script code in the context of the interface or access sensitive,
browser-based information. To exploit this vulnerability, an attacker would
need to have valid administrative credentials.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ise-xxs-pkjCmq9d
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected all releases of
Cisco ISE.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
For information about fixed software releases, see the Details section in
the bug ID(s) at the top of this advisory.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cross-Site Scripting
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ise-xxs-pkjCmq9d
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-04 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Identity Services Engine Cross-Site Scripting Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ise-xss-euRCwX9
First Published: 2020 November 4 16:00 GMT
Last Updated: 2020 December 22 13:10 GMT
Version 1.2: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvv01681
CVE Names: CVE-2020-3551
CWEs: CWE-79
Summary
o A vulnerability in the web-based management interface of Cisco Identity
Services Engine (ISE) could allow an unauthenticated, remote attacker to
conduct a cross-site scripting (XSS) attack against a user of the interface
of an affected device.
The vulnerability exists because the web-based management interface does
not properly validate user-supplied input. An attacker could exploit this
vulnerability by persuading a user of an affected interface to click a
crafted link. A successful exploit could allow the attacker to execute
arbitrary script code in the context of the affected interface or access
sensitive, browser-based information.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-euRCwX9
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco ISE releases
2.6 and 2.7.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco ISE releases 2.6 Patch8 and later and
Cisco ISE releases 3.0 and later contained the fix for this vulnerability.
Important: Cisco ISE 3.0 is a smart licensing-only solution that requires
communication to the cloud. At the time of publication, it does not support
air-gapped networks. Customers on ISE 2.7 with air-gapped networks are
advised to wait for the upcoming patch releases for Cisco ISE 2.7 Patch3
which will include the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Pawel Gocyla of ING Tech Poland for reporting
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cross-Site Scripting
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-euRCwX9
Revision History
o +---------+-----------------------------+----------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------------+----------+--------+-------------+
| 1.2 | Added Release 2.6 Patch8. | Fixed | Final | 2020-DEC-22 |
| | | Releases | | |
+---------+-----------------------------+----------+--------+-------------+
| 1.1 | Added fix information for | Fixed | Final | 2020-NOV-23 |
| | air-gapped networks. | Releases | | |
+---------+-----------------------------+----------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-04 |
+---------+-----------------------------+----------+--------+-------------+
- --------------------------------------------------------------------------------
Cisco Identity Services Engine Privilege Escalation Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ise-priv-esc-fNZX8hHj
First Published: 2020 November 4 16:00 GMT
Last Updated: 2020 November 22 21:34 GMT
Version 1.1: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvv08885
CVE Names: CVE-2020-27122
CWEs: CWE-266
CVSS Score:
4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the Microsoft Active Directory integration of Cisco
Identity Services Engine (ISE) could allow an authenticated, local attacker
to elevate privileges on an affected device. To exploit this vulnerability,
an attacker would need to have a valid administrator account on an affected
device.
The vulnerability is due to incorrect privilege assignment. An attacker
could exploit this vulnerability by logging in to the system with a crafted
Active Directory account. A successful exploit could allow the attacker to
obtain root privileges on an affected device.
Note: Only devices that have the CLI configured to support Active Directory
authentication are affected by this vulnerability. CLI support for Active
Directory authentication is disabled by default. All other uses of Active
Directory Domain Services or Active Directory Certificate Services within
ISE are not affected.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ise-priv-esc-fNZX8hHj
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco ISE releases
2.6 and 2.7.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco ISE
releases 2.2, 2.2.1, 2.3, and 2.4 because the CLI Active Directory
capability did not exist in those releases.
Details
o In order for exploitation to occur, a user with administrator access to the
CLI must do both of the following:
Enable the Active Directory CLI capability.
Enable the Active Directory CLI authentication capability (disabled by
default) with knowledge of an existing Active Directory domain.
Workarounds
o There are no workarounds that address this vulnerability.
However, administrators can disable the Active Directory CLI capability as
a mitigation.
Note: A user with administrator access to the CLI will be able to re-enable
it.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco ISE releases 3.0.0 and later contained
the fix for this vulnerability.
Important: Cisco ISE 3.0 is a smart licensing-only solution that requires
communication to the cloud. At the time of publication, it does not support
air-gapped networks. Customers with air-gapped networks are advised to wait
for the upcoming patch releases for Cisco ISE releases 2.6 and 2.7, which
will include the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ise-priv-esc-fNZX8hHj
Revision History
o +---------+-------------------------+--------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+--------------+--------+-------------+
| | Added configuration | Summary, | | |
| | requirements, | Affected | | |
| | vulnerable and not | Products, | | |
| 1.1 | vulnerable releases, | Details, | Final | 2020-NOV-22 |
| | exploitation details, a | Workarounds, | | |
| | mitigation, and fix | Fixed | | |
| | information for | Releases | | |
| | air-gapped networks. | | | |
+---------+-------------------------+--------------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-04 |
+---------+-------------------------+--------------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX+KSouNLKJtyKPYoAQhA/xAAnFoEp+37l2EbwrnG7VEgC9j7XvbkttCx
J5yWgrOK+2ygrEJT4j4pfLHlc6QkyblUxiFqk9dp32wV2cQ3aK3vYYPg4i+72W51
oMZArMWQg38BOX0TSv8L5FgNgQg1itzFOyegaG2fl60b6lB2gYugRtUn2G9JOxZE
siXWEk5o5FdFb+Da9Y8ZY//V8eWWa21JIraj/dyZ/JaRwPB/4U9T9mgYj4rBGFiP
k5sp4xAppPii2QG3HtSS9nDzCFy4rAGd5xaRQL9FNpJMXCLwkpeek5VNuYUF+yvL
2jc2Q5BrRzOqHGW3NW5qkbsvJT3+kZsovrUbVd3H2pkVmAAmQaXHBb46BlQV/yOH
yAzTFDKM/j5BXzaQeAFdZ/J5iDx7c1RATLQX2N2aJ8EHX+0Ky9GBt3GB+/lISu3D
lDSHddIXaOuaObYjtUQ46pisy0LBFY3iq2kAZAsj41xZq1iBJoyZhpYYOIqKbHSm
c4TcLzXYDhwh/AJk1Vs7vusqxKcPbXDEIpYbaDZ8K5ND3YB5uSRDJ8/+5AQcmSlk
0xH22GujjCIQw7J4HjEPbQxA+4VhJryz+ki/bcZrf8cpGHgBlmeQZirlGYt8Xmz7
eacTX9caAv9GxfqeOGVIkTNO5MiRjMBzmDn1jfsjLWvpCnWW51qtk6H6lu2khkMT
TNGYA12pNRc=
=hXfy
-----END PGP SIGNATURE-----