Johannes Ullrich, dean of research at the SANS Institute, said, “Most likely, this is an XML External Entity vulnerability.” External entities, he explained, are an XML feature that instructs the parser to either read local files or access external URLs. In this case, an attacker could embed an external entity in the license file, instructing the XML parser to read a confidential file and include it in the response. This is a common vulnerability in XML parsers, he said, typically mitigated by disabling external entity parsing.
An attacker would be able to obtain read access to confidential files like configuration files, he added, and possibly user credentials. Ullrich also said an ISE administrator may have access to a lot of the information, but they should not have access to user credentials.
The Cisco advisory says an attacker could exploit this vulnerability by uploading a malicious file to the application: “A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials.”
Cisco said proof-of-concept exploit code is available for this vulnerability, but so far the company isn’t aware of any malicious use of the hole.
These days, admin credentials aren’t hard to get, Harrington noted. The “dirty secret that few people want to talk about is across IT and security operations there are so many systems that are left with default credentials.” That’s particularly common, he said, with devices behind a firewall, such as network access control servers, because admins think because they are inside the network they can’t be touched by external hackers. But lots of credentials can be scooped up in compromises of applications where Cisco admins might have stored passwords.
Related content: Cisco warns of three critical ISE vulnerabilities
