December 6, 2022
Cisco this week announced the release of patches for multiple vulnerabilities across its product portfolio, including high-severity defects in identity, email, and web security products. The most severe of these issues is CVE-2022-20961 (CVSS score of 8.8), a cross-site request forgery (CSRF) flaw in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker…

Cisco this week announced the release of patches for multiple vulnerabilities across its product portfolio, including high-severity defects in identity, email, and web security products.

The most severe of these issues is CVE-2022-20961 (CVSS score of 8.8), a cross-site request forgery (CSRF) flaw in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to perform arbitrary actions on a vulnerable device.

The issue exists because the web-based management interface of impacted devices does not have sufficient CSRF protections and can be exploited if an attacker tricks a user into clicking on a crafted link.

Cisco ISE is also affected by CVE-2022-20956 (CVSS score of 7.1), an authorization bypass that exists because of improper access control in the web-based management interface, and which can be exploited using crafted HTTP requests.

“A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to,” Cisco explains.

ISE 3.1 and 3.2 users are advised to contact Cisco for hot patches that address this vulnerability. The tech giant warns that proof-of-concept (PoC) code exploiting this bug will be released once software fixes are made available.

Davide Virruoso of Yoroi, the researcher credited by Cisco for reporting CVE-2022-20956, was last month credited for a different high-severity flaw affecting ISE. Contacted at the time by SecurityWeek, Virruso suggested that no information will be made public any time soon.

This week, Cisco also announced patches for CVE-2022-20867 and CVE-2022-20868, two security defects impacting Email Security Appliance (ESA), Secure Email and Web Manager, and Secure Web Appliance.

The bugs, which are not dependent on one another, could allow an authenticated, remote attacker to launch SQL injection attacks with root privileges, or elevate their privileges on a vulnerable system, Cisco explains.

Cisco AsyncOS releases 14.2.1 and 14.3.0 contain patches for ESA and Secure Email and Web Manager. Patches for Secure Web Appliance were included in AsyncOS release 12.5.5 and are planned for AsyncOS releases 14.0.4 and 14.5.1.

Two other high-severity issues that Cisco addressed this week impact the web-based management interface of BroadWorks CommPilot and could lead to arbitrary code execution or sensitive data leaks.

Tracked as CVE-2022-20951 and CVE-2022-20958, the two issues exist because user-supplied input is not sufficiently validated. An attacker could exploit them by sending crafted HTTP requests.

Cisco announced that it is investigating potential impact from two recently disclosed OpenSSL vulnerabilities (CVE-2022-3602 and CVE-2022-3786), but that none of its on-premises products are known to be affected.

Additionally, Cisco announced patches for several medium-severity vulnerabilities impacting Cisco Umbrella, ISE, AsyncOS for ESA, and ESA and Secure Email and Web Manager.

Further information on the resolved vulnerabilities can be found on Cisco’s product security page.

Related: Cisco Users Informed of Vulnerabilities in Identity Services Engine

Related: Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product

Related: L2 Network Security Control Bypass Flaws Impact Multiple Cisco Products

Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags:
Source