Cisco has published a security advisory for a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an authenticated, remote attacker to read and delete files on an affected device. The bug, with a CVSS score of 7.1 has no patch and no workaround. Cisco plans to provide a fixed release for version 3.1 in November, and a fixed release for version 3.2 in January, 2023. Release 3.0 and earlier are not vulnerable.
Cisco advises that hot fixes are available on request.
The vulnerability
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most urgent patch in this update is aimed at CVE-2022-20822.
CVE-2022-20822 is a path traversal vulnerability in the web-based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker. Path traversal vulnerabilities allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../
into file or directory paths.
An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that they should not have access to.
Also in the advisory
The Cisco advisories page mentions another vulnerability in the ISE. The CVE-2022-20959 vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by persuading an authenticated administrator of the web-based management interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
And then there is a vulnerability worth noting because it is rated as high impact. CVE-2022-20933 is a vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart.
A patch is available for both.
Insufficient validation
The clear pattern here then it is insufficient validation of input on remotely accessible services.
Missing or improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection. While customers are entitled to expect proper input validation, it is a problem that haunts all web interfaces, and has done for decades.
So, instead of relying on the input validation provided by the vendor, users should consider adding extra measures, such as only allowing connections from trusted IP addresses, a limited numbers of authentication requests, and disabling access from the internet where it’s appropriate.