Cisco Identity Services Engine Unauthorized Access Vulnerability

Summary

• A vulnerability in the Admin portal of devices running Cisco Identity Services Engine (ISE) software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device.
  
  An attacker who can connect to the Admin portal of an affected device could potentially exploit this vulnerability. A successful exploit may result in a complete compromise of the affected device. Customers are advised to apply a patch or upgrade to a version of Cisco ISE software that resolves this vulnerability.
  
  Cisco has released software updates that address this vulnerability.
  
  There are no workarounds that address this vulnerability.
  
  This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160113-ise

Affected Products

• Cisco ISE devices running software versions 1.1 or later, 1.2.0 prior to patch 17, 1.2.1 prior to patch 8, 1.3 prior to patch 5, or 1.4 prior to patch 4 are vulnerable.
  
  To determine which version of the software is currently running on a device, administrators may use the show version command in the device command-line interface (CLI) or click on the hostname in the upper-right corner of the Admin portal. The output of the CLI is similar to the following example:
  
  

  ise/admin# show version

  Cisco Application Deployment Engine OS Release: 2.2

  ADE-OS Build Version: 2.2.0.162

  ADE-OS System Architecture: x86_64

  Copyright (c) 2005-2014 by Cisco Systems, Inc.

  All rights reserved.

  Hostname: ise

  Version information of installed applications

  ---------------------------------------------

  Cisco Identity Services Engine

  ---------------------------------------------

  Version      : 1.3.0.876

  Build Date   : Tue Oct 28 03:02:29 2014

  Install Date : Wed Oct 14 14:19:02 2015

  Cisco Identity Services Engine Patch

  ---------------------------------------------

  Version      : 3

  Install Date : Wed Oct 14 18:57:55 2015

  ise/admin#

  
  
  

  Vulnerable Products

  • Cisco Identity Services Engine
  • Cisco Identity Services Engine Express

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Customers should upgrade to an appropriate release as indicated in the following table:
  
  
  

  Cisco ISE Major Release	First Fixed Release for This Vulnerability
  1.1	End-of-Life - Migrate. For more information, see Cisco Identity Services Engine 1.1 End-of-Life Notice
  1.2.0	1.2.0 Patch 17
  1.2.1	1.2.1 Patch 8
  1.3	1.3 Patch 5
  1.4	1.4 Patch 4

  
  

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
  

Source

• This vulnerability was discovered by Cisco during internal testing.
  

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160113-ise

Revision History

• Version	Description	Section	Status	Date
  1.1	Metadata update.	-	Final	2018-September-24
  1.0	Initial public release	-	Final	2016-January-13

  Show Less