Cisco identifies vulnerabilities in Identity Services Engine

Cisco Systems’ network access control solution has five vulnerabilities rated High that could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks.

Four of the five problems in Cisco Identity Services Engine were identified earlier this month. However, network and security administrators will have to wait until Cisco releases software fixes for four of them. There is no workaround available for these holes, CVE-2022-20964. CVE-2022-20965, CVE-2022-20966 and CVE-2022-20967

Fortunately, they can be exploited only by valid and authorized ISE users, the company says. For protection, until the fixes are released, ISE administrators have to take extra care to restrict console access and admin web access.

Software updates have been released for the fifth vulnerability, CVE-2022-20961, described as a hole in ISE’s web-based management interface that could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device,

This vulnerability, Cisco says, is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user.

In listing four vulnerabilities in one advisory, Cisco noted they aren’t dependent on one another for exploitation. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

Separately, Cisco said it had released security fixes for a vulnerability in ISE that is rated Medium. CVE-2022-20963 is a vulnerability in the web-based management interface of ISE could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads