Vulnerabilities > CVE-2019-1851 - Unspecified vulnerability in Cisco Identity Services Engine 2.2(0.470)/2.3(0.298)/2.4(0.357)

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
cisco
nessus

Summary

A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the Internal Certificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect implementation of role-based access control (RBAC). An attacker could exploit this vulnerability by crafting a specific HTTP request with administrative credentials. A successful exploit could allow the attacker to generate a certificate that is signed and trusted by the ISE CA with arbitrary attributes. The attacker could use this certificate to access other networks or assets that are protected by certificate authentication.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20190515-ISE-CERTCREATION.NASL
descriptionA vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the InternalCertificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect implementation of role-based access control (RBAC). An attacker could exploit this vulnerability by crafting a specific HTTP request with administrative credentials. A successful exploit could allow the attacker to generate a certificate that is signed and trusted by the ISE CA with arbitrary attributes. The attacker could use this certificate to access other networks or assets that are protected by certificate authentication. Please see the included Cisco BIDs and Cisco Security Advisory for more information
last seen2020-06-01
modified2020-06-02
plugin id128684
published2019-09-11
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/128684
titleCisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability
code
#TRUSTED 34a1eb5623d385c71edd2069a63800a458fd350f3c282944f7a398b3eaadc7f60d7f2ad6273208790b7d8846c5d14ecff074bce4039863615d5e0526010e4fbaff27995100b7c3b0e849fec96786b62e6b99091090cd22ecf59de3179d652bfbabb4bdf9e02ec9346b5b03711a73d99f89634f6a08442b76825138e41a5522b129f64ce8eb0d217b8caf89d44f7285530490a99b6d5c7ab693dba5c78038541e6f9ef50aa2d5ff41665253031864a94eaf7061bfece6073093c4bff17fe3c1d0029e978f89e4b004447e4f9790bd4f6f189592367c3e57e7c15be97d948a57310746d9c3544ef355bce4e70663dda443062821e67ea2f892570d865edb9cbdc710d6129585caa796921645efe6fafc0db6cbfb5ef2d27078e3e77dc2a89973627f247bae209e8ce985af25380d290ded19a95c0b74f23133022d167b0b4c20ee0d82c080e6f9e8a616f9135f9c517217e66a1986809899d92fb7c150f68e4ef792f2ac734e2ea03b4376618adab86ed0e8327405345ddfb1993dbacdc122327942412045efede68c6362ddfbc44410903b9272cba16a8ae19f88e770becb5955b11c78330148b5012a9896f779714b4619356aecb80da939a3dccc6466de0e06aeb610f8dca6131daac16c90f2fd3c5731ae00a29fa6b447f60bf41db071bbe88fe02a43cc73538416eb1c9de4a87331022aebf8ec681ba1b7dc19042ac72e61
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(128684);
  script_version("1.7");
  script_cvs_date("Date: 2020/02/14");

  script_cve_id("CVE-2019-1851");
  script_bugtraq_id(108356);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvm81230");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190515-ise-certcreation");

  script_name(english:"Cisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability");
  script_summary(english:"Checks the version of Cisco Identity Services Engine Software");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the External RESTful Services (ERS) API of the
 Cisco Identity Services Engine (ISE) could allow an authenticated,
 remote attacker to generate arbitrary certificates signed by the
 InternalCertificate Authority (CA) Services on ISE. This
 vulnerability is due to an incorrect implementation of role-based
 access control (RBAC). An attacker could exploit this vulnerability
 by crafting a specific HTTP request with administrative credentials.
 A successful exploit could allow the attacker to generate a
 certificate that is signed and trusted by the ISE CA with arbitrary
 attributes. The attacker could use this certificate to access other
 networks or assets that are protected by certificate authentication.

Please see the included Cisco BIDs and Cisco Security Advisory for
more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-ise-certcreation
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?980cfdbf");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm81230");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvm81230");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1851");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(285);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/11");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:identity_services_engine");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ise_detect.nbin");
  script_require_keys("Host/Cisco/ISE/version", "Settings/ParanoidReport");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');
include('lists.inc');

product_info = cisco::get_product_info(name:'Cisco Identity Services Engine Software');
if (report_paranoia < 2) audit(AUDIT_PARANOID);

vuln_ranges = [
{ 'min_ver' : '0.0', 'fix_ver' : '2.2.0.470' },
{ 'min_ver' : '2.3.0', 'fix_ver' : '2.3.0.298' },
{ 'min_ver' : '2.4.0', 'fix_ver' : '2.4.0.357' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

# ISE version doesn't change when patches are installed, so even if
# they are on the proper version we have to double check patch level
required_patch = '';
if (product_info['version'] =~ "^2\.2\.0($|[^0-9])") required_patch = '15';
else if (product_info['version'] =~ "^2\.3\.0($|[^0-9])") required_patch = '7';
else if (product_info['version'] =~ "^2\.4\.0($|[^0-9])") required_patch = '8';

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvm81230',
  'fix'      , 'See advisory'
);

# uses required_patch parameters set by above version ranges
cisco::check_and_report(
    product_info:product_info,
    reporting:reporting,
    workarounds:workarounds,
    workaround_params:workaround_params,
    vuln_ranges:vuln_ranges,
    required_patch:required_patch);