During a security assessment, we identified the product Cisco Identity Services Engine (ISE) as being vulnerable to an OS Command Injection. This issue has been reported to Cisco and disclosed under CVE-2024-20469. The following versions are affected:-
- 3.2 before patch P7
- 3.3 before patch P4
About Cisco Identity Services Engine (ISE)
The Cisco ISE is primarily used to securely manage access to devices within a company's network. The system can be administered through a restricted shell accessible via SSH. It is based on a Linux instance, and the available commands resemble standard Linux commands, as shown below.
Two roles are available within Cisco ISE: guest and admin. Even with administrative privileges, users are unable to execute commands directly on the underlying Linux system, as access to the shell remains restricted to the commands shown in the screenshot above.
OS Command Injection
During the security assessment of a company network where Cisco ISEs were deployed, we were able to inject Linux commands through an admin-level account, therefore gaining root access to the underlying system and achieving full remote control.
The vulnerability originates from not escaped input being interpreted by the shell's debug feature. When activated, the shell debug provides detailed error messages whenever a command fails in the restricted shell. During the assessment, we tested a set of parameters for potential injection points. We discovered that the debug log returned suspicious output, indicating that a command had triggered an error. We investigated further, gradually uncovering a method to exploit the vulnerability and gain deeper access to the system.
We found that the dir command, available to system administrators, can be used to demonstrate this behavior. Similar to its function in Windows or Linux, the command lists the contents of a specified directory. However, when the directory does not exist in the ISE file system and debug mode is enabled, the directory name is reflected in an error message. This behavior exposes detailed information that can be leveraged during exploitation attempts.
We demonstrated the enabled debug mode on the screenshot below.
By embedding Linux commands within backticks (`$(whoami)` ) in the filename provided as argument to dir, we discovered that the output of the executed Linux command was reflected in the error message. For this error to be triggered, the resulting filename, after the injection, must not exist in the system. This condition can be met by concatenating a carefully chosen string to ensure the filename is invalid.
In the screenshot below you can see the execution of shell commands as the root user on the underlying system.
The root cause of this vulnerability likely comes from the use of a Linux command like echo in the ISE debug mode without properly escaping the input. When the echo command is followed by an argument containing backticks ( ` ), the string enclosed within the backticks is interpreted as a Linux command, and its output is returned. By exploiting this vulnerability, attackers could execute OS commands as root on the underlying Linux system, leading to a full compromise of the system.
Timeline
07.05.2024 - Vulnerability was reported to vendor.
08.05.2024 - Response from the vendor, issue has been adressed.
15.06.2024 - Vendor informed about timeline for fixing.
04.09.2024 - Security Advisory was published with CVE 2024-20469
More information can be found on the Cisco Advisory website:
