Cisco identifies vulnerabilities in Identity Services Engine

Cisco Systems’ network access control solution has five vulnerabilities rated High that could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks.

Four of the five problems in Cisco Identity Services Engine were identified earlier this month. However, network and security administrators will have to wait until Cisco releases software fixes for four of them. There is no workaround available for these holes, CVE-2022-20964. CVE-2022-20965, CVE-2022-20966 and CVE-2022-20967

Fortunately, they can be exploited only by valid and authorized ISE users, the company says. For protection, until the fixes are released, ISE administrators have to take extra care to restrict console access and admin web access.

Software updates have been released for the fifth vulnerability, CVE-2022-20961, described as a hole in ISE’s web-based management interface that could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device,

This vulnerability, Cisco says, is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user.

In listing four vulnerabilities in one advisory, Cisco noted they aren’t dependent on one another for exploitation. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

Separately, Cisco said it had released security fixes for a vulnerability in ISE that is rated Medium. CVE-2022-20963 is a vulnerability in the web-based management interface of ISE could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.