Cisco Systems’ network access control solution has five vulnerabilities rated High that could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks.
Four of the five problems in Cisco Identity Services Engine were identified earlier this month. However, network and security administrators will have to wait until Cisco releases software fixes for four of them. There is no workaround available for these holes, CVE-2022-20964. CVE-2022-20965, CVE-2022-20966 and CVE-2022-20967
Fortunately, they can be exploited only by valid and authorized ISE users, the company says. For protection, until the fixes are released, ISE administrators have to take extra care to restrict console access and admin web access.
Software updates have been released for the fifth vulnerability, CVE-2022-20961, described as a hole in ISE’s web-based management interface that could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device,
This vulnerability, Cisco says, is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user.
In listing four vulnerabilities in one advisory, Cisco noted they aren’t dependent on one another for exploitation. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
Separately, Cisco said it had released security fixes for a vulnerability in ISE that is rated Medium. CVE-2022-20963 is a vulnerability in the web-based management interface of ISE could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device.