Cisco patches critical flaws in Identity Services Engine

News
By
published

The flaws aren't believed to have been exploited in the wild yet

Cisco logo and branding pictured on the company's pavilion ahead of the World Economic Forum (WEF) in Davos, Switzerland, on Monday, Jan. 20, 2025.
(Image credit: Getty Images)

Cisco has rolled out software updates to address a pair of critical vulnerabilities in its Identity Services Engine (ISE) that could let hackers take over devices and access data.

The flaws affect Cisco ISE and Cisco ISE Passive Identity Connector, versions 3.0 to 3.3, but not 3.4. A workaround is not possible, so a software upgrade is required.

Cisco said in its support pages that the vulnerabilities aren't dependent on each other, so can be exploited separately. To take advantage of the flaws, an attacker would require "read-only" administrative credentials.

The first flaw, with a 9.9 critical rating, is in an API for Cisco ISE. The company explained this vulnerability was due to "insecure deserialization of user-supplied Java byte streams by the affected software".

"An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges," the advisory noted.

The second vulnerability is also in a Cisco ISE API with a 9.1 critical rating.

"This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data," the company said.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device," the company added. "A successful exploit could allow the attacker… to obtain information, modify system configuration, and reload the device."

Cisco issues free patch for customers

Cisco advised that companies with service contracts will receive the security patches through their usual update channels, but added that it had released a free update that's available for everyone.

RELATED WHITEPAPER

Grow and Innovate on an Energy-Efficient, Sustainable IT Infrastructure

(Image credit: Dell)

An environmentally responsible approach to IT operations

The company thanked a set of Deloitte researchers for reporting the flaws, which aren't believed to be in use by hackers in the wild yet.

"The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory," the company said, referencing its Product Security Incident Response Team.

At the end of last year, hackers claimed to have successfully hoovered up key data from Cisco that was left public on the internet following a misconfiguration, including ISE details.

At present, there is no connection between that incident and the flaws spotted by security researchers.

MORE FROM ITPRO

TOPICS
Nicole Kobie
Nicole Kobie

Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.

Nicole the author of a book about the history of technology, The Long History of the Future.

More about security
NHS logo displayed on a smartphone screen in white lettering on a blue background.

Cyber attack delayed cancer treatment at NHS hospital
Rapid7 logo and branding pictured in the entrance of the company's headquarters in Boston, USA.

Rapid7 shakes up its channel ecosystem with new PACT Partner Program
Metal bucket full of red numbers on beige background

Abandoned S3 buckets could have caused a catastrophic supply chain attack – and all at a cost of just $400
See more latest