"Cisco Identifies Vulnerabilities in Identity Services Engine"

High-level vulnerabilities in Cisco Systems' network access control solution could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security safeguards, and execute Cross-Site Scripting (XSS) attacks. Four of the five Cisco Identity Services Engine (ISE) issues were discovered earlier in November, but network and security administrators will have to wait until Cisco releases software fixes for them. There is no workaround for these vulnerabilities, tracked as CVE-2022-20964, CVE-2022-20965, CVE-2022-20966, and CVE-2022-20967. According to Cisco, valid and authorized ISE users can only exploit the vulnerabilities. Until the fixes are released, ISE administrators are urged to take extra precautions to limit console access and admin web access. CVE-2022-20961, a hole in ISE's web-based management interface that could allow an unauthenticated, remote attacker to conduct a Cross-Site Request Forgery (CSRF) attack and perform arbitrary actions on an affected device, has received software updates. Cisco says this vulnerability stems from insufficient CSRF protections for an affected device's web-based management interface. An attacker could exploit this flaw by convincing a user of the interface to click on a crafted link. The exploitation of this flaw could allow the attacker to perform arbitrary actions on the affected device with the target user's privileges. Cisco noted that the four vulnerabilities listed in one advisory are not dependent on one another for exploitation. Furthermore, a software release that is affected by one of the vulnerabilities may not be affected by the others. This article continues to discuss the potential impact of the ISE vulnerabilities. 

IT World reports "Cisco Identifies Vulnerabilities in Identity Services Engine"