Guest

Preview Tool

Cisco Bug: CSCun25815 - ISE 1.2 marks DCs as 'Dead' while doing a 'CAPILdapFetch'

Last Modified

Jun 10, 2016

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.2(0.899)

Description (partial)

Symptoms:
A vulnerability in the Active Directory integration component of Cisco Identity Service Engine could allow an unauthenticated, remote attacker to
perform a denial of service attack.

The vulnerability is due to improper handling of PAP authentication requests when ISE is configured with authorization policy based on Active
Directory group membership. An attacker could exploit this vulnerability by crafting a special but formally correct PAP authentication request
that will trigger the issue. An exploit could allow the attacker to cause the failures of all subsequent authentication requests for the same
Active Directory domain.
Conditions:
ISE is configured with authorization policy based on Active Directory group membership with AD attribute retrieval and check configured
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.