Cisco Security Advisory-
Cisco Identity Services Engine (ISE) contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device.
Cisco has released software updates that address this vulnerability. There is no workaround for this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110920-ise.
-
Vulnerable Products
This vulnerability affects all releases of Cisco ISE prior to release 1.0.4.MR2. This applies to both the hardware appliance and the software-only versions of the product.
The following methods can be used to determine which Cisco ISE release is installed:
- From the Cisco ISE command-line interface (CLI), issue the show application version ise command, as shown in the following example:
Based on the output of the show application version ise on the previous example, the installed Cisco ISE release is 1.0.4.588.ise-node1/admin# show application version ise Cisco Identity Services Engine --------------------------------------------- Version : 1.0.4.558 Build Date : Thu 18 Aug 2011 04:41:15 PM EST Install Date : Fri 16 Sep 2011 01:38:48 PM EST ise-node1/admin#
- On the main login page of the Cisco ISE web-based interface, the version information is displayed under the "Identity Services Engine" heading.
- From the Cisco ISE web-based interface, log in and click on the "Help" button located at the bottom left corner of the screen. From the resulting menu, select "About Identity Services Engine". Version information is displayed on the resulting window under the "Identity Services Engine" heading.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability. - From the Cisco ISE command-line interface (CLI), issue the show application version ise command, as shown in the following example:
-
The Cisco Identity Services Engine provides an attribute-based access control solution that combines authentication, authorization, and accounting (AAA); posture; profiling; and guest management services on a single platform. Administrators can centrally create and manage access control policies for users and endpoints in a consistent fashion, and gain end-to-end visibility into everything that is connected to the network.
The Cisco ISE contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device.
This vulnerability is documented in Cisco bug ID CSCts59135 ( registered customers only) and has been assigned the CVE identifier CVE-2011-3290.
-
There is no workaround for this vulnerability.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20110920-ise
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Cisco ISE release 1.0.4.573 is available as either an ISO image containing a complete installation image, which can be used for a new install or for completely reimaging an existing installation (filename is ise-1.0.4.573.i386.iso), or as an application bundle that can be used to upgrade an existing Cisco ISE release 1.0 (1.0.3.377) or Cisco ISE release 1.0MR (1.0.4.558) installation to Cisco ISE release 1.0.4.573 (filename is ise-appbundle-1.0.4.573.i386.tar.gz).
Those files can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html
. The files are accessible using the following path:On installation, either as a clean install from the ISO image or application bundle for upgrading an existing install, Cisco ISE release 1.0.4.573 will:
- remove the existing database default credentials, and
- request the user to provide new database credentials
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by Andrey Ovrashko and Sergey Bondarenko of BMS Consulting, Ukraine. Cisco would like to thank Andrey Ovrashko, Sergey Bondarenko and BMS Consulting for reporting this vulnerability and for working with us towards a coordinated disclosure of the vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.2 2012-March-22 Updated information about fixed software availability. Revision 1.1 2011-October-03 Updated with information about fixed software availability. Revision 1.0 2011-September-20 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.