Cisco addressed several high-severity flaws in its products

Cisco addressed multiple flaws impacting its products, including high-severity issues in identity, email, and web security solutions.

Cisco addressed multiple vulnerabilities impacting some of its products, including high-severity flaws in identity, email, and web security products.

The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device.

“A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.” reads the advisory. “This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user.”

Cisco also addressed an Insufficient Access Control vulnerability, tracked as CVE-2022-20956 (CVSS score of 7.1), in its ISE product. The flaw is caused by improper access control in the web-based management interface and an attacker can trigger it by sending specially-crafted HTTP requests to affected devices.

“This vulnerability is due to improper access control in the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.” reads the advisory. “A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to.”

The Cisco PSIRT is aware of the availability of proof-of-concept exploit code for the vulnerability.

The company also fixed a SQL Injection Vulnerability, tracked as CVE-2022-20867, and a Privilege Escalation Vulnerability, tracked as CVE-2022-20868, in the Cisco ESA and Cisco Secure Email and Web Manager Next Generation Management.

The IT giant is also investigating the potential impact of the OpenSSL vulnerabilities tracked as CVE-2022-3602 and CVE-2022-3786.

Detailed information on the issues addressed by the vendor are available on Cisco’s product security page.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.