|Product||Cisco Identify Services Engine 1.4 Patch 8|
Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s routers and switches. The purpose is to simplify identity management across diverse devices and applications.
Cisco also provides the Monitoring REST API. It allows an organization to gather session and node specific information from the monitoring nodes on a network.
MWR discovered several SQL Injection points in the Monitoring REST API. These injection points allow an authenticated malicious user with admin rights to bypass database controls and directly interact with the database.
This would give an attacker with administrative credentials the ability to view the contents of the Oracle database, as well as potentially tamper with the session data.
Administrators don’t normally have direct access to the database, or the underlying operating system.
Data was inserted directly into the query without proper sanitation or parameterization.
Use secure administrator credentials.
At this time there is no permanent solution.
Please see attached advisory PDF for technical details.
|05/10/2016||Issue reported to vendor|
|13/10/2016||Vendor acknowledged issue|
|21/10/2016||Bug CSCvb71469 assigned|
|TBD||Issue disclosed by vendor|
|TBD||Issue disclosed by MWR|