[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Identity Services Engine

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Identity Services Engine
From: Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>
Date: Wed, 23 Oct 2013 12:13:50 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Multiple Vulnerabilities in Cisco Identity Services Engine

Advisory ID: cisco-sa-20131023-ise

Revision 1.0

For Public Release 2013 October 23 16:00  UTC (GMT)
======================================================================

Summary
- -------

Cisco Identity Services Engine (ISE) contains the following vulnerabilities:

        Cisco ISE Authenticated Arbitrary Command Execution Vulnerability
        Cisco ISE Support Information Download Authentication Bypass 
Vulnerability

These vulnerabilities are independent of each other; a release that is affected 
by one of the vulnerabilities may not be affected by the other.

Successful exploitation of Cisco ISE Authenticated Arbitrary Command Execution 
Vulnerability may allow an authenticated remote attacker to execute arbitrary 
code on the underlying operating system.
Successful exploitation of Cisco ISE Support Information Download 
Authentication Bypass Vulnerability could allow an attacker to obtain sensitive 
information including administrative credentials.

Cisco has released free software updates that address these vulnerabilities. 
Workarounds that mitigate these vulnerabilities are not available. This 
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-ise

Note: Cisco ISE Software is also affected by the Apache Struts Command 
Execution Vulnerability described in a separate Cisco Security Advisory 
available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

Cisco ISE customers should consult that advisory before making decision on the 
upgrade path.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAlJn58YACgkQUddfH3/BbTrONAD9H9SWav6ti4+8q/Ps58twqJ7m
gkTHHTe6/MdgE1K62ZIA/2+7TGX4/3liKP6YSwZsyUVMB0YN5UmnTNwRR8OL06aX
=iYhW
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Cisco Security Advisory: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Next by Date: [Full-disclosure] Cisco Security Advisory: Cisco IOS XR Software Route Processor Denial of Service Vulnerability
Previous by thread: [Full-disclosure] Cisco Security Advisory: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Next by thread: [Full-disclosure] Cisco Security Advisory: Cisco IOS XR Software Route Processor Denial of Service Vulnerability
Index(es):
- Date
- Thread