16 December 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5209.3 Cisco Identity Services Engine Unauthorized File Access Vulnerability 16 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Identity Services Engine Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20822 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM Comment: CVSS (Max): 7.1 CVE-2022-20822 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Revision History: December 16 2022: Vendor Update December 16 2022: Vendor Update October 20 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Identity Services Engine Unauthorized File Access Vulnerability Priority: High Advisory ID: cisco-sa-ise-path-trav-Dz5dpzyM First Published: 2022 October 19 16:00 GMT Last Updated: 2022 December 13 18:57 GMT Version 1.1: Interim Workarounds: No workarounds available Cisco Bug IDs: CSCwc62415 CVE Names: CVE-2022-20822 CWEs: CWE-22 Summary o A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to list, download, and delete files on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains certain character sequences to an affected system. A successful exploit could allow the attacker to list, download, or delete specific files on the device that their configured administrative level should not have access to. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM Affected Products o Vulnerable Products This vulnerability affects Cisco ISE. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section. Cisco ISE Release First Fixed Release 3.0 and earlier Not vulnerable 3.1 3.1P5 3.2 ^1 3.2P1 (Jan 2023) 1. A hot patch may be available by request for Cisco ISE Release 3.2. Contact Cisco TAC to make the request. For instructions on upgrading your device, see the Upgrade Guides located on the Cisco Identity Service Engine support page. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is aware that proof-of-concept exploit code for the vulnerability that is described in this advisory will become available after software fixes are released. Public reports of the vulnerability, including a description and classification without specific technical details, are available. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Davide Virruso of Yoroi for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM Revision History o +---------+-----------------------+---------------+---------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------+---------------+---------+-------------+ | | Updated summary, | Summary, | | | | | fixed release | Fixed | | | | | information, hot | Software, | | | | 1.1 | patch information, | Exploitation | Interim | 2022-DEC-13 | | | and public | and Public | | | | | announcements | Annoucements | | | | | information. | | | | +---------+-----------------------+---------------+---------+-------------+ | 1.0 | Initial public | - | Interim | 2022-OCT-19 | | | release. | | | | +---------+-----------------------+---------------+---------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY5vK78kNZI30y1K9AQiNkxAAlqit35SSdtetjHoAg7Z8q7IhPtxquLOS kHd7fdyiFfFPeFZF7thBmhGIiLLfU6hLEEOBNCaqPsGRvgfjOxLyEzbYU87fnVkk Kju66Dn1iFGbvnNzdGTyYMDJJDnySrrm8EQW7o04/vyNZxxXpxFpzdGRTQaWTB1Q H5r7cAFjbuI6jtkdTa86qzUQJ9QiuSQ5ZkJe2trioPbSxA56E3YiAe7YsqIajs1Q 7asKMhF6V2cFmjOh60Iw9A/4za86YpALL8eGlWr9RKi9kRYC6XfrcEjtmFQ2CghX kCUIT0o2iVoo5/+QY+r0+qNaYUXFNTNwXHtim3FAvPbtVSerys5FKngxXXfLfAyj KjeSNx8pPZ50sGdeJQrO76WalEvGHpfeFPGzNNwzjqM9ckhaidVbpE5RdROwiNvW lnlHUOflDBVf6kqDCIqSXwwHuRYrSZ52ZBfBS6JBuy/uvnmJfctRk2ySOJKBRAVi Yr7BWU5Aov461f1THf2eX9dEq9ZGvJ2u+Izulw0Qixck0px+P5JIe4RLuR8DXS0K mAElUcVku9G7yWR86bCR27OXu8/ohGhNbscP/0ORefcwqpVdXZgdio42AlElQnPZ l5KQO712U82KL2rTY2J9GkfGJvPDxHD5K7rjSGYjvXFY5Kc7jDe0SzXzQgoU/YY2 p+1K+TJqQfE= =xCBi -----END PGP SIGNATURE-----