Guest

Preview Tool

Cisco Bug: CSCur00532 - ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock)

Last Modified

Dec 19, 2019

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.1(1.268) 1.2(0.747) 1.2(0.899) 1.2(1.198)

Description (partial)

Symptom:
The Cisco Identity Services Engine (ISE) includes a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278

All shipping versions of ISE are vulnerable to  CVE-2014-6271, 
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 
(AKA ShellShock bug). That said, the exposure of this bug in ISE is very 
limited.  The shellshock vulnerability allows an AUTHENTICATED SSH user 
run a generic Linux command.  The key word being 'AUTHENTICATED'.  Hence if
an attacker does not have the username and password of an ISE CLI user, they
will not be able to exploit this vulnerability on ISE. 

If the user DOES have credentials, and would like to exploit the shellshock, 
that CLI user would be able to run generic Linux commands on the ISE node 
that they would normally not be able to run (Because the ISE CLI does not 
expose generic Linux commands).  However those Linux commands will run as the 
logged in CLI user account, not as the Linux root user.  Hence, this limits 
exposure of the vulnerability in ISE.  An example of an exploit using 
shellshock in ISE would be to view Linux system files they would normally 
not be able to view. 

The workaround to remove the CLI vulnerability would be to disable the SSH
daemon via the following CLI, then reload the ISE node to ensure all SSH 
sessions have been terminated.  The following CLI demonstrates how to disable
SSH service and reload the ISE node.  

---snip
ise1/admin# configure terminal
ise1/admin(config)# no service sshd enable 
ise1/admin(config)# end
ise1/admin# reload
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Continue with reboot? [y/n] y
---snip

Note that reloading the node is important to do after disabling SSH because 
it ensures all SSH sessions have been disconnected.

Regarding other exposures to the shellshock bug such as through DHCP or 
CGI, we believe ISE is not vulnerable to either, with this reasoning:
Related to DHCP server optoins vulnerability, an ISE node never acts as
a DHCP client. The IPv4 addresses must be configured statically in ISE, 
hence the shellshock attack from DHCP server options flag would never 
get called by ISE. 

Regarding web interface/CGI vulnerability, the shellshock bug affects 
mod_cgi/mod_cgid running on Apache. ISE does not use Apache and Apache is
not even installed in ISE.  ISE uses tomcat for its web applications.  
Furthermore, within the ISE tomcat webapp configuration, for each webapp 
there are no servlet-mappings for CGI.  Given this, we believe ISE is not
vulnerable to shellshock from the web/CGI interface.

This defect has been fixed in the following versions of ISE:
1.1.3.x patch 12
1.1.4.x patch 12
1.2.0.x patch 12
1.2.1.x patch 3
1.3.0.876 (FCS)

Conditions:
ISE nodes are exposed to this vulnerability only if they have ssh service enabled.  If SSH is enabled, a remote user with ISE CLI credentials will be able to exploit the vulnerability and run generic Linux commands.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.