Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3316
Cisco Identity Services Engine multiple vulnerabilities
7 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Identity Services Engine
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Remote with User Interaction
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-34706 CVE-2021-34702 CVE-2021-1594
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-UwqPrBM3
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-info-disc-pNXtLhdp
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-V4VSjEsX
Comment: This bulletin contains three (3) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Identity Services Engine Privilege Escalation Vulnerability
Priority: High
Advisory ID: cisco-sa-ise-priv-esc-UwqPrBM3
First Published: 2021 October 6 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy11976
CVE Names: CVE-2021-1594
CWEs: CWE-266
Summary
o A vulnerability in the REST API of Cisco Identity Services Engine (ISE)
could allow an unauthenticated, remote attacker to perform a command
injection attack and elevate privileges to root .
This vulnerability is due to insufficient input validation for specific API
endpoints. An attacker in a man-in-the-middle position could exploit this
vulnerability by intercepting and modifying specific internode
communications from one ISE persona to another ISE persona. A successful
exploit could allow the attacker to run arbitrary commands with root
privileges on the underlying operating system. To exploit this
vulnerability, the attacker would need to decrypt HTTPS traffic between two
ISE personas that are located on separate nodes.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-UwqPrBM3
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices if they are running a vulnerable
release of Cisco ISE in a distributed deployment.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Deployment Type
To determine whether Cisco ISE is in a distributed deployment on a device,
do the following:
For a device running Cisco ISE Release 3.0 or later, go to the Cisco
ISE GUI and click the Menu icon. (This step is not necessary for
devices running a release earlier than Release 3.0.)
Choose Administration > System > Deployment .
Click Deployment from the navigation pane on the left to see all of the
Cisco ISE nodes that are part of the deployment.
If the value under Role(s) is STANDALONE , the device is in a standalone
deployment and is not affected by this vulnerability. If there is any value
other than STANDALONE under Role(s) , the device is in a distributed
deployment and is affected by this vulnerability.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect standalone
deployments of Cisco ISE.
Details
o For information about Cisco ISE nodes and personas, see the Cisco Identity
Services Engine Installation Guide .
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The right column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability. Customers are advised to upgrade
to an appropriate fixed software release as indicated in this section.
Cisco Identity Services Engine Release First Fixed Release
2.4 Migrate to a fixed release.
2.6 2.6 Patch10
2.7 2.7 Patch5
3.0 3.1
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o Cisco would like to thank Alexander Polce Leary for reporting this
vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-UwqPrBM3
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2021-OCT-06 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ise-info-disc-pNXtLhdp
First Published: 2021 October 6 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy86528
CVE Names: CVE-2021-34702
CWEs: CWE-200
Summary
o A vulnerability in the web-based management interface of Cisco Identity
Services Engine (ISE) could allow an authenticated, remote attacker to
obtain sensitive information.
This vulnerability is due to improper enforcement of administrator
privilege levels for low-value sensitive data. An attacker with read-only
administrator access to the web-based management interface could exploit
this vulnerability by browsing to the page that contains the sensitive
data. A successful exploit could allow the attacker to collect sensitive
information regarding the configuration of the system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-info-disc-pNXtLhdp
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco ISE.
For information about which Cisco software releases were vulnerable at the
time of publication, see the Fixed Software section of this advisory. See
the Details section in the bug ID(s) at the top of this advisory for the
most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
Cisco ISE Release First Fixed Release
2.2 Migrate to a fixed release.
2.4 Migrate to a fixed release.
2.6 2.6 Patch 11 (future release)
2.7 2.7 Patch 5
3.0 3.0 Patch 4
3.1 Not vulnerable.
Important : Cisco ISE 3.0 is a smart licensing-only solution that requires
communication to the cloud. Cisco ISE 3.0 does not support air-gapped
networks until Release 3.0 Patch 2.
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o Cisco would like to thank security researcher Nishant Raman for reporting
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-info-disc-pNXtLhdp
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2021-OCT-06 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco Identity Services Engine XML External Entity Injection Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ise-xxe-inj-V4VSjEsX
First Published: 2021 October 6 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy75191
CVE Names: CVE-2021-34706
CWEs: CWE-611
Summary
o A vulnerability in the web-based management interface of Cisco Identity
Services Engine (ISE) could allow an authenticated, remote attacker to
access sensitive information or conduct a server-side request forgery
(SSRF) attack through an affected device.
This vulnerability is due to improper handling of XML External Entity (XXE)
entries when parsing certain XML files. An attacker could exploit this
vulnerability by uploading a crafted XML file that contains references to
external entities. A successful exploit could allow the attacker to
retrieve files from the local system, resulting in the disclosure of
sensitive information, or cause the web application to perform arbitrary
HTTP requests on behalf of the attacker.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-V4VSjEsX
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco ISE releases
3.1 and earlier.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the fix that addresses this vulnerability is
ready but not yet available through cisco.com . For additional information
regarding when the fix will become available through regular release
patches, see the Details section in the bug ID(s) at the top of this
advisory.
To request a hot patch to address this vulnerability for Cisco ISE Software
releases 2.4 through 3.1, open a TAC Support case.
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o Cisco would like to thank the Lockheed Martin Red Team for reporting this
vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-V4VSjEsX
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2021-OCT-06 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYV5EXeNLKJtyKPYoAQiMnQ//dC+ovwVywaA+T9PRAhbzsJ926PJBRExB
wAemKAE87D1XHPeWj97XjVGtZgrBWPO8CXvg0Vq6THQfmR6+CSVQO8nIF51Lr/Sp
myAqEaZaBiek4VFA7xQaY1MZky1BM+VT6BpXcxOdsYRwvs4QDHdnX51xr7cDRm/r
33SGnt27XPxfI9zWV0kVH7luCbW0h9kY2XkWxI9ecKARCviQYcnU4zOU1TXWmKwE
BYazUu4IK7GdeqpnBA4Q5e040jFEx8VcFzBmWNTID+pLfRz5VnmXedx+0ICu57BG
8Rn++azVzxf6O6Lug4KSHAIt27Z+VKrkgIhf4opxSntgzYt5aMDkagi4cdkWPZVJ
XF12orZx4Mv2bo0hgaRYSyuvfqj3dsrH3h+6/OC6U9qQaRyo30bz3mezpD06ZLAA
/7u5fD9ZdrTSkfPgRnH2GQ5Lt0JgSLfApmyLEqgzgIml+3q4y0M5mTpUN3NYLb5v
4hN2FRroGxYt8HC/flW1HP10m0Aw7Ubn44MSJ7raXPYVpvBwmaJz1h+mIOVvo8lY
AayogZ1STwh78czcdmB6ZjtHcV937NkTfaW1yJ0ZMhKVXhR7Qsx/4XuaDajnyo2V
quE0SMMmeuOv4Ytb5pyWcPWRpxDC3NQSYTWtVY1yoivyS28k1lZRyWMNZ593EjIr
z3oRV3i2VwU=
=XThz
-----END PGP SIGNATURE-----