Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:952422
HistoryOct 28, 2013 - 12:00 a.m.

Cisco Identity Services Engine contains an input validation vulnerability

2013-10-2800:00:00
www.kb.cert.org
19

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.004

Percentile

74.5%

JSON

Overview

Cisco Identity Services Engine contains an input validation vulnerability (CWE-20).

Description

CWE-20: Improper Input Validation

Cisco Identity Services Engine (ISE) contains an input validation vulnerability. The ISE device contains a TCP Dump option for analyzing traffic on the device. By using a proxy to modify the HTTP request, a remote authenticated attacker can encode commands into the vulnerable format parameter which could allow them to run arbitrary code on the affected system with the privilege of the root user.

Impact

A remote authenticated attacker may be able to execute arbitrary code as root on the device.

Solution

Apply an Update

Users are advised to refer to the “Software Versions and Fixes” section of the Cisco Security Advisory for details on which update is appropriate for their version of the Identity Services Engine.

Vendor Information

952422

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco Systems, Inc. Affected

Notified: September 20, 2013 Updated: October 25, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 9 AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal 7.4 E:F/RL:OF/RC:C
Environmental 1.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Stephen Hosom for reporting this vulnerability. Cisco also credits Jan Kadijk from Warpnet for first directly reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-5530
Date Public: 2013-10-23 Date First Published:

Related

prion 1
cvelist 1
nvd 1
cve 1
cisco 1
securityvulns 1
prion
prion
Design/Logic Flaw
2013-10-25 03:52:00
cvelist
cvelist
CVE-2013-5530
2013-10-25 01:00:00
nvd
nvd
CVE-2013-5530
2013-10-25 03:52:54
cve
cve
CVE-2013-5530
2013-10-25 03:52:54
cisco
cisco
Multiple Vulnerabilities in Cisco Identity Services Engine
2013-10-23 16:00:00
securityvulns
securityvulns
Cisco Identity Services Engine multiple security vulnerabilities
2013-10-28 00:00:00

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.004

Percentile

74.5%

JSON
Related for VU:952422
prion1cvelist1nvd1cve1cisco1securityvulns1