Cisco Authenticated SQL Injection in Rest API

Product Cisco Identify Services Engine 1.4 Patch 8
Severity Low
CVE Reference TBD
Type SQL Injection

Description

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s routers and switches. The purpose is to simplify identity management across diverse devices and applications.
Cisco also provides the Monitoring REST API. It allows an organization to gather session and node specific information from the monitoring nodes on a network.
MWR discovered several SQL Injection points in the Monitoring REST API. These injection points allow an authenticated malicious user with admin rights to bypass database controls and directly interact with the database.

Impact

This would give an attacker with administrative credentials the ability to view the contents of the Oracle database, as well as potentially tamper with the session data.
Administrators don’t normally have direct access to the database, or the underlying operating system.

Cause

Data was inserted directly into the query without proper sanitation or parameterization.

Interim Workaround

Use secure administrator credentials.

Solution

At this time there is no permanent solution.

Technical details

Please see attached advisory PDF for technical details.

Disclosure Timeline

Date Summary
05/10/2016 Issue reported to vendor
13/10/2016 Vendor acknowledged issue
21/10/2016 Bug CSCvb71469 assigned
TBD Issue disclosed by vendor
TBD Issue disclosed by MWR