Chemical Safety Incidents
Cisco Working on Fix ISE Hole
Tuesday, September 1, 2015 @ 04:09 PM gHale
Cisco found a problem in its Identity Services Engine (ISE) where its administration portal doesn’t properly authorize HTML requests which could allow an attacker to see custom pages an administrator created.
“To exploit this vulnerability, the attacker must send a crafted HTTP request to the filename of the customized page on the guest portal,” the Cisco advisory said. “The Cisco ISE guest portal is configured to use customized uploaded HTML files, making an exploit easier to accomplish. Environments that restrict access from untrusted sources could make successful exploitation more difficult.”
A system administrator’s custom pages can contain sensitive security information about the network that ISE is managing.
Cisco said it has seen exploit code for the vulnerability, but so far it is not aware of any code in the wild. However, it hasn’t yet created a patch.
Cisco advises administrators not to put sensitive information into ISE custom pages, and recommends access control lists to restrict access to custom pages to trusted machines.
Cisco released bug ID CSCuo78045 for registered users, which contains additional details and an up-to-date list of affected product versions.