Cisco is liberated Updates to solve two critical security deficiencies (ISE) that can allow remote attackers to perform arbitrary commands and increase privileges on sensitive devices.
Vulnerabilities shown below –
- Cve-2015-20124 (CVSS assessment: 9.9) – Unspuke Java desserization at API Cisco ISE, which can allow authentication, remote attackers to execute arbitrary commands as a root user on the affected device.
- Cve-2015-20125 (CVSS Assessment: 9.1) – Auction Vulnerability of API Cisco ISE can allow authentified, remote attackers with valid reading credential
The attacker can arm any deficiencies by sending the created serialized Java object or HTTP request to an indefinite API final point, which led to the escalation of privileges and code execution.
Cisco said that two vulnerabilities are independent of each other and that there are no solutions to soften them. They were considered in the versions below –
- Release Cisco ISE 3.0 software (Go to fixed issue)
- CISCO ISE 3.1 software (fixed in 3.1P10)
- Release CISCO ISE 3.2 software (fixed in 3.2p7)
- Release Cisco ISE 3.3 software (fixed in 3.3p4)
- Issue Issue CISCO ISE 3.4 (not vulnerable)
Deloitte’s security researchers Dan Marina and Sebastian Radulei were enrolled in the detection and repair of vulnerabilities.
While Major Equipment Major stated that it did not know about the malicious operation of the shortcomings, users are advised to maintain their systems in the upcoming defense.
