Cisco fixes root escalation vulnerability with public exploit code

Summary: Cisco has addressed a command injection vulnerability (CVE-2024-20469) in its Identity Services Engine (ISE) that could allow authenticated local attackers to escalate privileges to root. The flaw arises from insufficient validation of user input and requires existing Administrator privileges to exploit.

Threat Actor: Local attackers | local attackers
Victim: Cisco Identity Services Engine (ISE) users | Cisco Identity Services Engine

Key Point :

  • The vulnerability allows command injection attacks that can elevate privileges to root on vulnerable systems.
  • Proof-of-concept exploit code is publicly available, but no evidence of exploitation in the wild has been found yet.
  • Other recent vulnerabilities in Cisco products have also been addressed, including critical flaws allowing privilege escalation and unauthorized access.

Cisco

Cisco has fixed a command injection vulnerability with public exploit code that lets attackers escalate privileges to root on vulnerable systems.

Tracked as CVE-2024-20469, the security flaw was found in Cisco’s Identity Services Engine (ISE) solution, an identity-based network access control and policy enforcement software that enables network device administration and endpoint access control in enterprise environments.

This OS command injection vulnerability is caused by insufficient validation of user-supplied input. Local attackers can exploit this weakness by submitting maliciously crafted CLI commands in low-complexity attacks that don’t require user interaction.

However, as Cisco explains, threat actors can only exploit this flaw successfully if they already have Administrator privileges on unpatched systems.

“A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root,” the company warned in a security advisory published on Wednesday.

“The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.”

Cisco ISE Release First Fixed Release
3.1 and earlier Not affected
3.2 3.2P7 (Sep 2024)
3.3 3.3P4 (Oct 2024)
3.4 Not affected

So far, the company has yet to discover evidence of attackers exploiting this security vulnerability in the wild.

Cisco also warned customers today that it removed a backdoor account in its Smart Licensing Utility Windows software that attackers can use to log into unpatched systems with administrative privileges.

In April, it released security patches for an Integrated Management Controller (IMC) vulnerability (CVE-2024-20295) with publicly available exploit code that also allows local attackers to escalate privileges to root.

Another critical flaw (CVE-2024-20401), which lets threat actors add rogue root users and permanently crash Security Email Gateway (SEG) appliances via malicious emails, was patched last month.

The same week, it warned of a maximum-severity vulnerability that lets attackers change any user password on vulnerable Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators.

Source: https://www.bleepingcomputer.com/news/security/cisco-fixes-root-escalation-vulnerability-with-public-exploit-code