Command execution in Cisco Identity Services Engine



| Updated: 2018-10-09
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2018-15424
CVE-2018-15425
CWE-ID CWE-77
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Cisco Identity Services Engine (ISE)
Server applications / Other server solutions

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Command injection

EUVDB-ID: #VU15212

Risk: Low

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-15424

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.

The vulnerability exists in the web-based management interface of Cisco Identity Services Engine (ISE) due to command injection. A remote unauthenticated attacker can inject and execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server.

Mitigation

The vulnerability has been fixed in the versions 2.2(1.901), 2.2(0.910).

Vulnerable software versions

Cisco Identity Services Engine (ISE): 2.2.0.470

CPE2.3 External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ise-mult-vul...


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Command injection

EUVDB-ID: #VU15213

Risk: Low

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-15425

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.

The vulnerability exists in the web-based management interface of Cisco Identity Services Engine (ISE) due to command injection. A remote unauthenticated attacker can inject and execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server.

Mitigation

The vulnerability has been fixed in the versions 2.2(1.901), 2.2(0.910).

Vulnerable software versions

Cisco Identity Services Engine (ISE): 2.2.0.470

CPE2.3 External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ise-mult-vul...


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###