CVE-2023-20243
📋 TL;DR
An unauthenticated remote attacker can cause Cisco ISE to stop processing RADIUS packets by sending crafted RADIUS accounting requests, resulting in denial of service for network authentication. This affects organizations using Cisco ISE for AAA services. Legitimate users would be denied network access during the outage.
💻 Affected Systems
- Cisco Identity Services Engine (ISE)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete RADIUS service disruption requiring manual PSN restart, preventing all new network authentications and potentially affecting business operations.
Likely Case
Intermittent RADIUS processing failures causing authentication timeouts and user access issues until service is restored.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.
🎯 Exploit Status
Exploitation requires sending crafted RADIUS packets, which is straightforward for attackers with network access to vulnerable components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cisco ISE 3.3 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radius-dos-W7cNn7gt
Restart Required: Yes
Instructions:
1. Backup ISE configuration. 2. Upgrade to Cisco ISE 3.3 or later. 3. Restart Policy Service Nodes after upgrade. 4. Verify RADIUS services are functioning.
🔧 Temporary Workarounds
Network segmentation
allRestrict access to RADIUS ports (UDP 1812/1813, 1645/1646) to trusted NADs only
RADIUS secret hardening
allUse strong, unique RADIUS shared secrets and rotate them regularly
🧯 If You Can't Patch
- Implement strict network ACLs to limit RADIUS traffic to authorized NADs only
- Monitor RADIUS process health and implement automated alerts for service restarts
🔍 How to Verify
Check if Vulnerable:
Check Cisco ISE version via admin GUI or CLI: show versionCheck Version:
show versionVerify Fix Applied:
Verify version is 3.3 or later and RADIUS services are running without unexpected restarts📡 Detection & Monitoring
Log Indicators:
- RADIUS process restarts
- Authentication timeouts
- High volume of malformed RADIUS packets
Network Indicators:
- Unusual RADIUS traffic patterns from non-NAD sources
- Spike in RADIUS accounting requests
SIEM Query:
source="cisco-ise" AND (event_type="process_restart" OR message="RADIUS.*restart" OR auth_timeout>5s)