cbcvebase.
CVE-2017-6747
published 2017-08-07

CVE-2017-6747: A vulnerability in the authentication module of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to bypass local…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
5.48%
91.8th percentile
A vulnerability in the authentication module of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to bypass local authentication. The vulnerability is due to improper handling of authentication requests and policy assignment for externally authenticated users. An attacker could exploit this vulnerability by authenticating with a valid external user account that matches an internal username and incorrectly receiving the authorization policy of the internal account. An exploit could allow the attacker to have Super Admin privileges for the ISE Admin portal. This vulnerability does not affect endpoints authenticating to the ISE. The vulnerability affects Cisco ISE, Cisco ISE Express, and Cisco ISE Virtual Appliance running Release 1.3, 1.4, 2.0.0, 2.0.1, or 2.1.0. Release 2.2.x is not affected. Cisco Bug IDs: CSCvb10995.

Affected

19 ranges
VendorProductVersion rangeFixed in
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine
ciscoidentity_services_engine

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker authenticates using a valid external user account whose username matches an existing internal ISE username, then receives the internal account's authorization policy (potentially Super Admin) on the ISE Admin portal
  • Monitor ISE Admin portal login events where an externally-authenticated user session is granted Super Admin privileges; cross-reference against expected internal admin accounts for username collisions
  • Affected versions are Cisco ISE / ISE Express / ISE Virtual Appliance releases 1.3, 1.4, 2.0.0, 2.0.1, and 2.1.0; Release 2.2.x is NOT affected — use version fingerprinting to identify exposed assets
  • ·This vulnerability only affects the ISE Admin portal authentication path for externally authenticated users; endpoints authenticating to ISE are not affected
  • ·There are no workarounds available; the only remediation is upgrading to a fixed software release
  • ·Tracked under Cisco Bug ID CSCvb10995; use this identifier when querying Cisco's bug tracker or PSIRT feeds for additional technical detail

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.