Cisco patches critical flaws in Identity Services Engine
Cisco has rolled out software updates to address a pair of critical vulnerabilities in its Identity Services Engine (ISE) that could let hackers take over devices and access data.
The flaws affect Cisco ISE and Cisco ISE Passive Identity Connector, versions 3.0 to 3.3, but not 3.4. A workaround is not possible, so a software upgrade is required.
Cisco said in its support pages that the vulnerabilities aren’t dependent on each other, so can be exploited separately. To take advantage of the flaws, an attacker would require “read-only” administrative credentials.
The first flaw, with a 9.9 critical rating, is in an API for Cisco ISE. The company explained this vulnerability was due to “insecure deserialization of user-supplied Java byte streams by the affected software”.
“An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges,” the advisory noted.
The second vulnerability is also in a Cisco ISE API with a 9.1 critical rating.
“This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data,” the company said.
“An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device,” the company added. “A successful exploit could allow the attacker… to obtain information, modify system configuration, and reload the device.”
Cisco issues free patch for customers
Cisco advised that companies with service contracts will receive the security patches through their usual update channels, but added that it had released a free update that’s available for everyone.
The company thanked a set of Deloitte researchers for reporting the flaws, which aren’t believed to be in use by hackers in the wild yet.
“The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory,” the company said, referencing its Product Security Incident Response Team.
At the end of last year, hackers claimed to have successfully hoovered up key data from Cisco that was left public on the internet following a misconfiguration, including ISE details.
At present, there is no connection between that incident and the flaws spotted by security researchers.
MORE FROM ITPRO
Source link
