Hi,
On January 20th, SSD disclosed 3 vulnerabilities found by Agile
Information Security in their Cisco Identity Services Engine (ISE) product.
These are unauth stored XSS, unsafe Java deserialization and privesc to
root, which when combined allow an unauthenticated attacker to achieve
remote code execution as root - as long as you can get an admin to visit
the ISE page vulnerable to stored XSS. This is my take on it.
Cisco has been incredibly negligent throughout this whole affair:
- they did not assign CVE numbers to java deserialization and the
privesc, making it impossible to track them
- it is not clear what / if any versions are fixed from their security
bulletins
- they still recommend version 2.4.0.357 as the suggested release in the
downloads section of their website; this is the version we tested and
found vulnerable to everything described below
- the java deserialization and privesc vulnerabilities were
independently found by other researchers and reported around the same
time, but Cisco refused to give Agile Information Security any credit
In summary, this is a total mess. It is pretty evident that Cisco does
not care about security or keeping their customers informed, they just
like to sweep security issues under the rug. Good luck doing that with a
public exploit.
We would like to thank Beyond Security's SSD Disclosure programme for
helping us deal with Cisco and avoid even more headaches. Their advisory
can be found at https://ssd-disclosure.com/index.php/archives/3778 and a
copy of the text below can be found in my repo at
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ise-rce.txt.
Get the exploit from SSD's post or from
https://raw.githubusercontent.com/pedrib/PoC/master/exploits/ISEpwn.rb
==
>> Multiple vulnerabilities in Cisco Identity Services Engine
(unauthenticated stored XSS to RCE as root)
>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security and Dominik Czarnota (dominik.b.czarn...@gmail.com)
=
Disclosure: 20/01/2019 / Last updated: 05/02/2019
>> Background and product information
>From the vendor's website [1]:
The Cisco Identity Services Engine (ISE) is your one-stop solution to
streamline security policy management and reduce operating costs. With
ISE, you can see users and devices controlling access across wired,
wireless, and VPN connections to the corporate network.
Cisco ISE allows you to provide highly secure network access to users
and devices. It helps you gain visibility into what is happening in your
network, such as who is connected, which applications are installed and
running, and much more. It also shares vital contextual data, such as
user and device identities, threats, and vulnerabilities with integrated
solutions from Cisco technology partners, so you can identify, contain,
and remediate threats faster."
>> Summary
ISE is distributed by Cisco as a virtual appliance. We have analysed
version 2.4.0.357 and found three vulnerabilities: an unauthenticated
stored cross site scripting, a authenticated Java deserialization
vulnerability leading to remote code execution as an unprivileged user,
and a privilege escalation from that unprivileged user to root.
By putting them all together, we can achieve remote code execution as
root, provided we can trap an administrator into visiting the ISE page
vulnerable to the stored cross site scripting. A Ruby exploit that
implements this full exploit chain (described in more detail at
'Exploitation summary', at the end of this file) is available in [2].
All the vulnerabilities in this advisory were found independently by
Agile Information Security. However, vulnerability #2 (Unsafe Flex AMF
Java Object Deserialization) was also found and reported to Cisco by
Olivier Arteau of Groupe Technologie Desjardins [3] and vulnerability #3
(Privilege Escalation via Incorrect sudo File Permissions) was also
found and reported to Cisco by Hector Cuesta [4].
Cisco refused to credit Agile Information Security with finding
vulnerabilities #2 and #3, and also refused to provide a CVE for both
these vulnerabilities, saying regarding #3 that "This issue has been
evaluated as a hardening effort to improve the security posture of the
device. According with our Security vulnerability policy, we request do
not request a CVE assignment for issue with a Severity Impact Rating
(SIR) lower than Medium. This issue will be fixed in the upcoming ISE
release".
At the time of the latest update, Cisco still recommends version
2.4.0.357 - affected by all the vulnerabilities in this advisory - as
the "Suggested Release" in their software download page.
These actions show Cisco is incredibly negligent with regards to the
security of their customers. They are still shipping (and recommending)
a product version vulnerable to unauthenticated remote code execution,
with a fully working public exploit and no way to