CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
34.5%
A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the InternalCertificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect implementation of role-based access control (RBAC). An attacker could exploit this vulnerability by crafting a specific HTTP request with administrative credentials.
A successful exploit could allow the attacker to generate a certificate that is signed and trusted by the ISE CA with arbitrary attributes. The attacker could use this certificate to access other networks or assets that are protected by certificate authentication.
Please see the included Cisco BIDs and Cisco Security Advisory for more information
#TRUSTED 2d541db8e51d71c8e6c07d81cf93cf7b32eaeacc0a7dfa9538a5161e0a0cb94493f50b35dd765cd27360db4644f5d29fbbce75235d0ae4ba8d7bba3ecc945fbf640e86fd78089e1e229adfb20ad966ff09646aa50f83f505f131a1c15b2cf7710216988fe5f1f688bc2ee58afccd1002f684caec6cee11987dfb1fa1c728f87bf16fa39af91f68c4e9d4868d253f9cb7721d94ebf475157856648c267278c17ac01e8609a1481af95ca56ba4c53d1062057310a6c2bedb0b3ed1d488ccac4767396228a38d2bf180f7affed4b83f07dd5b2f02c633799fee0e1fe799616e71f24c5c96ea4b6f22cbf5686284ad2837510d46f5c9570788aacceddae7853863c1917cdc06e5a0ab789ad91eedf56b0b371a0263df987afe222a485e99dddc00fa12d6528ee9927316d3779e8c564fdb50cdad9370a01586b3ac3a2035716333c33b7f7438d5b59b7f65949896daf3238ad9663204a969d7ac7c880b37bdc6635afcbe8dcb0fa8982b64868341500fdbda340de4e17f959da75f3193a7167323deaf8c25ca5741ea283b9a0144d437a8d6d280453f40b1fa0d466658d5871685c9fbec039a1d10fbdc643f7796d27a8836ebe7f2e767c4bb0bda64f3cf8d9209d5a6900a3ae22f64a7c6a9701fe15a2c8d127d47753e686bed8c71815b1daabb7c6301a7f298b0df11b17582447dadda3971ef806b1b62c3f8e874a75b043a2ad9
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(128684);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/04/06");
script_cve_id("CVE-2019-1851");
script_bugtraq_id(108356);
script_xref(name:"CISCO-BUG-ID", value:"CSCvm81230");
script_xref(name:"CISCO-SA", value:"cisco-sa-20190515-ise-certcreation");
script_name(english:"Cisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability");
script_summary(english:"Checks the version of Cisco Identity Services Engine Software");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"A vulnerability in the External RESTful Services (ERS) API of the
Cisco Identity Services Engine (ISE) could allow an authenticated,
remote attacker to generate arbitrary certificates signed by the
InternalCertificate Authority (CA) Services on ISE. This
vulnerability is due to an incorrect implementation of role-based
access control (RBAC). An attacker could exploit this vulnerability
by crafting a specific HTTP request with administrative credentials.
A successful exploit could allow the attacker to generate a
certificate that is signed and trusted by the ISE CA with arbitrary
attributes. The attacker could use this certificate to access other
networks or assets that are protected by certificate authentication.
Please see the included Cisco BIDs and Cisco Security Advisory for
more information");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-ise-certcreation
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?980cfdbf");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm81230");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvm81230");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1851");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_cwe_id(285);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/15");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/11");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:identity_services_engine");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:identity_services_engine");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:identity_services_engine_software");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ise_detect.nbin");
script_require_keys("Host/Cisco/ISE/version", "Settings/ParanoidReport");
exit(0);
}
include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');
include('lists.inc');
product_info = cisco::get_product_info(name:'Cisco Identity Services Engine Software');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
vuln_ranges = [
{ 'min_ver' : '0.0', 'fix_ver' : '2.2.0.470' },
{ 'min_ver' : '2.3.0', 'fix_ver' : '2.3.0.298' },
{ 'min_ver' : '2.4.0', 'fix_ver' : '2.4.0.357' }
];
workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();
# ISE version doesn't change when patches are installed, so even if
# they are on the proper version we have to double check patch level
required_patch = '';
if (product_info['version'] =~ "^2\.2\.0($|[^0-9])") required_patch = '15';
else if (product_info['version'] =~ "^2\.3\.0($|[^0-9])") required_patch = '7';
else if (product_info['version'] =~ "^2\.4\.0($|[^0-9])") required_patch = '8';
reporting = make_array(
'port' , 0,
'severity' , SECURITY_WARNING,
'version' , product_info['version'],
'bug_id' , 'CSCvm81230',
'fix' , 'See advisory'
);
# uses required_patch parameters set by above version ranges
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
workarounds:workarounds,
workaround_params:workaround_params,
vuln_ranges:vuln_ranges,
required_patch:required_patch);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
34.5%