Cisco Identity Services Engine (ISE) contains the following vulnerabilities:

Cisco ISE Authenticated Arbitrary Command Execution Vulnerability
Cisco ISE Support Information Download Authentication Bypass Vulnerability

These vulnerabilities are independent of each other; a release that is
affected by one of the vulnerabilities may not be affected by the
other.

Successful exploitation of Cisco ISE Authenticated Arbitrary Command Execution Vulnerability may allow an authenticated remote
attacker to execute arbitrary code on the underlying operating system.

Successful
exploitation of Cisco ISE Support Information Download Authentication Bypass Vulnerability could allow an attacker to obtain
sensitive information including administrative credentials.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-ise

Note: Cisco ISE Software is also affected by the Apache Struts Command
Execution Vulnerability described in a separate Cisco Security Advisory
available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

Cisco ISE customers should consult that advisory before making a decision on the upgrade path.

Leave a Reply