Cisco ISE Vulnerability

Thursday, September 22, 2011 @ 04:09 PM gHale

Cisco has a critical vulnerability (CVE-2011-3290) in its Identity Services Engine (ISE).

In its security advisory, the company said the underlying database used by ISE, its identity and access control policy platform, contains three sets of default credentials a hacker could exploit via a remote attacker without any end-user interaction.

Oracle Security Holes
Cisco Patches Critical Vulnerabilities
More SCADA Vulnerabilities Hit Industry
Holes Found in Siemens WinCC

Using these credentials, an attacker could modify the configuration and settings, or even gain complete administrative control of a device. All hardware appliance and software-only versions of Cisco ISE prior to 1.0.4.MR2 have the issue.

The company says that it will release a free update to the software to address the vulnerability on 30 September 2011; no temporary workaround is available.

Once released, the updates will be available to download from the Cisco Software Center.