CVE-2024-20515
📋 TL;DR
An authenticated attacker with Read-Only Administrator privileges in Cisco Identity Services Engine (ISE) can exploit improper data protection mechanisms to view sensitive device credentials that should be hidden. This affects organizations using vulnerable versions of Cisco ISE for network access control and policy management.
💻 Affected Systems
- Cisco Identity Services Engine (ISE)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials, potentially leading to full system compromise, lateral movement, and data exfiltration.
Likely Case
Attackers gain access to sensitive configuration data that could facilitate further attacks or reconnaissance.
If Mitigated
Limited exposure with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated access with Read-Only Administrator privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cisco ISE 3.3 Patch 2 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-info-disc-ZYF2nEEX
Restart Required: Yes
Instructions:
1. Download the patch from Cisco Software Center. 2. Apply the patch following Cisco ISE patch installation procedures. 3. Restart the ISE services or appliance as required.
🔧 Temporary Workarounds
Restrict Read-Only Administrator Access
allLimit Read-Only Administrator accounts to only trusted personnel and monitor their activities.
🧯 If You Can't Patch
- Implement strict access controls and monitor all Read-Only Administrator account activities.
- Segment network access to ISE management interface and implement network-based restrictions.
🔍 How to Verify
Check if Vulnerable:
Check Cisco ISE version via web interface or CLI. Vulnerable if version is prior to 3.3 Patch 2.Check Version:
show versionVerify Fix Applied:
Verify the installed version is 3.3 Patch 2 or later and test that Read-Only Administrators cannot access sensitive credentials.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns by Read-Only Administrator accounts to sensitive configuration pages.
Network Indicators:
- Multiple requests to specific ISE management interface pages containing sensitive data.
SIEM Query:
source="ISE" AND (event_type="CONFIGURATION_ACCESS" OR user_role="READ_ONLY_ADMIN") AND url_contains="sensitive"