Cisco Bug: CSCvs42441 - Service account passwords returned from server in SMS and LDAP page
Sep 26, 2020
- Cisco Identity Services Engine
Known Affected Releases
2.2(0.916) 2.3(0.906) 2.4(0.911) 2.6(0.902)
Symptom: A vulnerability in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to recover service account passwords that are saved on an affected system. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin portal. An attacker with read or write access to the Admin portal could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to recover passwords and expose those accounts to further attack. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pass-disclosure-K8p2Nsgg Conditions: At the time of publication, this vulnerability affected Cisco ISE releases earlier than Release 2.7p2. At the time of publication, Cisco ISE releases 2.7p2 and later contained the fix for this vulnerability. For information about vulnerable and not vulnerable software releases, and time frame for fixed software releases, please open a support case with your support organization. PSIRT does not provide or maintain this information for Medium SIR advisories.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases