A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.
The vulnerability results from the lack of file validation mechanisms in the internal API, which allows placing a file in privileged operating system directories. An attacker sends a crafted file to the vulnerable device without the need for authentication. After successful file upload, it is possible to execute arbitrary code or gain full root permissions on the device's operating system.
An attacker can execute arbitrary code (RCE) with root privileges on the device, which means complete takeover of the system, including the ability to read, modify or delete data and perform further lateral movement in the network.
Apply patches available from the manufacturer according to the references — details in the Cisco Security Advisory guide: cisco-sa-ise-unauth-rce-ZAd2GnJ6 (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6). Until the update is applied, it is recommended to restrict access to the Cisco ISE API at the firewall level to only trusted IP addresses.
Cisco Identity Services Engine (ISE) and Cisco Identity Services Engine Passive Identity Connector (ISE-PIC) — specific versions indicated in the manufacturer's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCisco Identity Services Engine
APPCisco3.4.0Cisco Identity Services Engine Passive Identity Connector
APPCisco3.4.0
Related vulnerabilities
Nieuwierzytelniony RCE jako root w Cisco ISE i ISE-PIC poprzez API
Cisco ISE / ISE-PIC — nieuwierzytelniony RCE przez API jako root
A vulnerability in Cisco ISE and ISE-PIC could allow an authenticated, remote attacker to execute arbitrary co...
RCE w Cisco ISE — eskalacja uprawnień do root przez HTTP
Cisco ISE w chmurze: współdzielone statyczne poświadczenia umożliwiają nieautoryzowany dostęp