Cisco has disclosed multiple vulnerabilities impacting its Identity Services Engine (ISE) software.
These vulnerabilities could allow authenticated, remote attackers to bypass authorization mechanisms or conduct a cross-site scripting (XSS) attack.
This advisory, released on November 6, 2024, highlights the risks associated with these vulnerabilities and provides details on the available fixes.
Vulnerabilities Overview
Cisco has identified two distinct vulnerabilities affecting the web-based management interface of its Cisco ISE platform.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
These vulnerabilities are not interdependent, meaning one can be exploited without the other.
Both vulnerabilities have received a medium CVSS base score of 4.3, indicating moderate risk if exploited. The two major vulnerabilities are:
- CVE-2024-20476 – Cisco ISE Authorization Bypass Vulnerability
- CVE-2024-20487 – Cisco ISE Stored Cross-Site Scripting (XSS) Vulnerability
CVE-2024-20476: Cisco ISE Authorization Bypass Vulnerability
This vulnerability, CVE-2024-20476, could allow an authenticated, remote attacker to bypass authorization mechanisms on the Cisco ISE platform.
The flaw exists due to insufficient server-side validation of Administrator permissions in the web-based management interface.
An attacker can exploit this vulnerability by submitting crafted HTTP requests to the affected system.
If successful, the threat actor could upload files to restricted locations that should only be accessible to administrators.
However, the attacker must have valid Read-Only Administrator credentials to exploit this vulnerability.
Cisco has released software updates to address the vulnerability; no workarounds are available. Cisco Bug ID CSCwk23108 has been assigned to track this issue.
CVE-2024-20487: Cisco ISE Stored XSS Vulnerability
The second vulnerability, CVE-2024-20487, allows an authenticated, remote attacker to conduct a stored XSS attack on the Cisco ISE interface.
This vulnerability arises from insufficient validation of user-supplied input within the system’s web-based interface.
An attacker can exploit this flaw by injecting malicious code into specific interface areas.
If another user interacts with the compromised interface, the injected script could execute in the context of their browser session, potentially allowing unauthorized access to sensitive information.
This vulnerability requires the attacker to have at least low-privileged access to an affected device to carry out the exploit.
Like the previous vulnerability, Cisco has released a patch to address the issue, but no workarounds are available. Cisco Bug ID CSCwk14907 tracks this flaw.
These vulnerabilities affect certain Cisco ISE releases at the time of publication.
To mitigate the risks, Cisco advises users to update their software to the latest version. These vulnerabilities do not affect products not listed in the advisory, such as the Cisco ISE Passive Identity Connector (ISE-PIC).
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!