Cisco ISE carries HTML authentication bug

Web portal access needs to be restricted


Cisco's identified a bug in its Identity Services Engine: its admin portal doesn't properly authorise HTML requests, and that can let an attacker see custom pages an admin has created.

The reason it matters is that sys admins' custom pages can contain sensitive security information about the network that ISE is managing.

“The vulnerability is due to lack of access control for the uploaded HTML files. An attacker could exploit this vulnerability by crafting an HTTP request that points to the filename of the customised page”, the security note states.

The company says it's seen exploit code for the vulnerability, but so far isn't aware of any code in the wild. However, it hasn't yet been able to produce a software update.

Cisco advises admins not to put sensitive information into ISE custom pages, and recommends that access control lists to restrict access to custom pages to trusted machines. ®


Biting the hand that feeds IT © 1998–2021