Cisco has rolled out software updates to address a pair of critical vulnerabilities in its Identity Services Engine (ISE) that could let hackers take over devices and access data.
The flaws affect Cisco ISE and Cisco ISE Passive Identity Connector, versions 3.0 to 3.3, but not 3.4. A workaround is not possible, so a software upgrade is required.
Cisco said in its support pages that the vulnerabilities aren't dependent on each other, so can be exploited separately. To take advantage of the flaws, an attacker would require "read-only" administrative credentials.
The first flaw, with a 9.9 critical rating, is in an API for Cisco ISE. The company explained this vulnerability was due to "insecure deserialization of user-supplied Java byte streams by the affected software".
"An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges," the advisory noted.
The second vulnerability is also in a Cisco ISE API with a 9.1 critical rating.
"This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data," the company said.
"An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device," the company added. "A successful exploit could allow the attacker… to obtain information, modify system configuration, and reload the device."
Cisco issues free patch for customers
Cisco advised that companies with service contracts will receive the security patches through their usual update channels, but added that it had released a free update that's available for everyone.
RELATED WHITEPAPER
The company thanked a set of Deloitte researchers for reporting the flaws, which aren't believed to be in use by hackers in the wild yet.
"The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory," the company said, referencing its Product Security Incident Response Team.
At the end of last year, hackers claimed to have successfully hoovered up key data from Cisco that was left public on the internet following a misconfiguration, including ISE details.
At present, there is no connection between that incident and the flaws spotted by security researchers.
MORE FROM ITPRO
- Everything you need to know about Cisco
- Cisco thinks AI is 'changing everything' - including cybersecurity
- New $1 billion AI investment fund launched by Cisco
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Cisco is jailbreaking AI models so you don’t have to worry about itNews Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
-
Cisco dispels Kraken data breach claims, insists stolen data came from old attackNews Cisco has refuted claims it has suffered a data breach after the Kraken threat group posted stolen data online.
-
Your office is now absolutely riddled with surveillance equipmentNews While workplace monitoring is shown to have a detrimental effect on morale, many firms are still charging ahead
-
Cisco confirms attackers stole data, shuts down access to compromised DevHub environmentNews The tech giant insists that no sensitive customer information has been compromised
-
Cisco confirms investigation amid data breach claimsNews The networking giant says its probe is ongoing amid claims a threat actors accessed company data
-
Rubrik partners with Cisco to bolster cyber resilience
News Rubrik now integrates with Cisco XDR and is listed on the connectivity giant’s SolutionsPlus program
-
Cisco: “AI is changing everything” – including securityNews Cisco has unveiled a series of updates to its security and monitoring software
