Cisco Bug: CSCur00532 - ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock)
Dec 19, 2019
- Cisco Identity Services Engine
Known Affected Releases
1.1(1.268) 1.2(0.747) 1.2(0.899) 1.2(1.198)
Symptom: The Cisco Identity Services Engine (ISE) includes a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-6277 CVE-2014-6278 All shipping versions of ISE are vulnerable to CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 (AKA ShellShock bug). That said, the exposure of this bug in ISE is very limited. The shellshock vulnerability allows an AUTHENTICATED SSH user run a generic Linux command. The key word being 'AUTHENTICATED'. Hence if an attacker does not have the username and password of an ISE CLI user, they will not be able to exploit this vulnerability on ISE. If the user DOES have credentials, and would like to exploit the shellshock, that CLI user would be able to run generic Linux commands on the ISE node that they would normally not be able to run (Because the ISE CLI does not expose generic Linux commands). However those Linux commands will run as the logged in CLI user account, not as the Linux root user. Hence, this limits exposure of the vulnerability in ISE. An example of an exploit using shellshock in ISE would be to view Linux system files they would normally not be able to view. The workaround to remove the CLI vulnerability would be to disable the SSH daemon via the following CLI, then reload the ISE node to ensure all SSH sessions have been terminated. The following CLI demonstrates how to disable SSH service and reload the ISE node. ---snip ise1/admin# configure terminal ise1/admin(config)# no service sshd enable ise1/admin(config)# end ise1/admin# reload Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Continue with reboot? [y/n] y ---snip Note that reloading the node is important to do after disabling SSH because it ensures all SSH sessions have been disconnected. Regarding other exposures to the shellshock bug such as through DHCP or CGI, we believe ISE is not vulnerable to either, with this reasoning: Related to DHCP server optoins vulnerability, an ISE node never acts as a DHCP client. The IPv4 addresses must be configured statically in ISE, hence the shellshock attack from DHCP server options flag would never get called by ISE. Regarding web interface/CGI vulnerability, the shellshock bug affects mod_cgi/mod_cgid running on Apache. ISE does not use Apache and Apache is not even installed in ISE. ISE uses tomcat for its web applications. Furthermore, within the ISE tomcat webapp configuration, for each webapp there are no servlet-mappings for CGI. Given this, we believe ISE is not vulnerable to shellshock from the web/CGI interface. This defect has been fixed in the following versions of ISE: 1.1.3.x patch 12 1.1.4.x patch 12 1.2.0.x patch 12 1.2.1.x patch 3 18.104.22.1686 (FCS) Conditions: ISE nodes are exposed to this vulnerability only if they have ssh service enabled. If SSH is enabled, a remote user with ISE CLI credentials will be able to exploit the vulnerability and run generic Linux commands.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases