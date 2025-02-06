Cisco patches critical flaws in Identity Services Engine
The flaws aren't believed to have been exploited in the wild yet
Cisco has rolled out software updates to address a pair of critical vulnerabilities in its Identity Services Engine (ISE) that could let hackers take over devices and access data.
The flaws affect Cisco ISE and Cisco ISE Passive Identity Connector, versions 3.0 to 3.3, but not 3.4. A workaround is not possible, so a software upgrade is required.
Cisco said in its support pages that the vulnerabilities aren't dependent on each other, so can be exploited separately. To take advantage of the flaws, an attacker would require "read-only" administrative credentials.
The first flaw, with a 9.9 critical rating, is in an API for Cisco ISE. The company explained this vulnerability was due to "insecure deserialization of user-supplied Java byte streams by the affected software".
"An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges," the advisory noted.
The second vulnerability is also in a Cisco ISE API with a 9.1 critical rating.
"This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data," the company said.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device," the company added. "A successful exploit could allow the attacker… to obtain information, modify system configuration, and reload the device."
Cisco issues free patch for customers
Cisco advised that companies with service contracts will receive the security patches through their usual update channels, but added that it had released a free update that's available for everyone.
The company thanked a set of Deloitte researchers for reporting the flaws, which aren't believed to be in use by hackers in the wild yet.
"The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory," the company said, referencing its Product Security Incident Response Team.
At the end of last year, hackers claimed to have successfully hoovered up key data from Cisco that was left public on the internet following a misconfiguration, including ISE details.
At present, there is no connection between that incident and the flaws spotted by security researchers.
MORE FROM ITPRO
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
Cyber attack delayed cancer treatment at NHS hospital
Rapid7 shakes up its channel ecosystem with new PACT Partner Program
Most Popular
Resources
Discover how these data centers from Germany and Australia became more resilient to disruption, while also lowering operating costs and CO2 emission
Posted
Testing the Value of Dell™ PowerEdge™ R750 Servers with Windows Server® 2022 Preinstalled
Posted