Vulnerabilities > CVE-2019-15255 - Unspecified vulnerability in Cisco Identity Services Engine 2.2/2.2(0.470)

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
cisco
nessus

Summary

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information.

Vulnerable Configurations

Part Description Count
Application
Cisco
2

Nessus

NASL familyCISCO
NASL idCISCO-SA-20200108-ISE-AUTH-BYPASS.NASL
descriptionAn authentication bypass vulnerability exists in the web-based management component of Cisco Identity Services Engine due to insufficient validation of user-supplied URL input. An authenticated, remote attacker can exploit this, by submitting specially crafted URL to an affected host, to bypass authentication and gain access to sensitive information.
last seen2020-03-17
modified2020-02-24
plugin id133864
published2020-02-24
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133864
titleCisco Identity Services Engine Authorization Bypass (cisco-sa-20200108-ise-auth-bypass)
code
#TRUSTED 23211e3637f16cf02003c0556841abea3290883b08c6ba013c6388df0c4f1bf3bf6c68771aaa5e7bc8523dd170c08991418cfa9b7847ee05e77353f8e710e6d42fa783dfccd836bc3c773edce3722b88d7a4beeb23220337682967cfaf52812777b4ca5681029ba22963c1a8a6328db61c0305504760df62a1cc40248ff3cfb6835ffc6aaf2151afcc8f3b8abf7879d61e0eabbd349c5f75a8d30488eb3d12788df1999c3db6b51760487c527d0741b6d5e2d806a66a0c6c8d71e7d9296dadb12fdac04ef9bc3bed012ffd6ccfbad46b74813a66a66d5e11f5e13b7b4edf48cb1703226fee9f82305949e436bb5ef01928afd1a2ee512e693bb394c2762d3fb5edd49198ffee3cbc0dc2d0b2b66d3a2dcbf07553ada3525d168cd4dd1aa02e77d14e54c9f017b46c0ce1d2b52f7840cf436aaf22e57d9df0b4e4f67031192e142350ac8226f7c4766ab7734a5150d8cba2a390fc13335bb5cacff723cb5a4148602fee65aa552058d98da307dbbec7c93c6095e394c5d701e143e727e9662e8fa137fc26352a2194a8ba386620f68156716d07c847f7b739829341e5803a6268d9c37f690c1bd38d9241c560d4043ef418c8fd0e24da88ac995aa316a3c1464f815453ce558129e92f0a3c756704b11d38cb1563325eff310f2a963c0d4b65efd3d7cd3f3ac0b222d66c7b9acb4491faba2080bb2837edccf47dd22df344c74a
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133864);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");

  script_cve_id("CVE-2019-15255");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq67348");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20200108-ise-auth-bypass");
  script_xref(name:"IAVA", value:"2019-A-0361");

  script_name(english:"Cisco Identity Services Engine Authorization Bypass (cisco-sa-20200108-ise-auth-bypass)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"An authentication bypass vulnerability exists in the web-based
management component of Cisco Identity Services Engine due to
insufficient validation of user-supplied URL input. An authenticated,
remote attacker can exploit this, by submitting specially crafted URL
to an affected host, to bypass authentication and gain access to
sensitive information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ise-auth-bypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c44d3d67");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq67348");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvq67348.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-15255");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/a:cisco:identity_services_engine");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ise_detect.nbin");
  script_require_keys("Host/Cisco/ISE/version");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco Identity Services Engine Software');

vuln_ranges = [
  { 'min_ver':'2.2.0', 'fix_ver':'2.2.0' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

# ISE version doesn't change when patches are installed, so even if
# they are on the proper version we have to double check patch level
required_patch = '';
if (product_info['version'] =~ "^2\.2\.0($|[^0-9])") required_patch = '16';

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvq67348',
  'fix'      , 'See advisory'
);

# uses required_patch parameters set by above version ranges
cisco::check_and_report(
  product_info:			product_info,
  reporting:			reporting,
  workarounds:			workarounds,
  workaround_params:	workaround_params,
  vuln_ranges:			vuln_ranges,
  required_patch:		required_patch
);