14 DAY TRIAL // The company posted an advisory in which it alerts customers that the Cisco Identity Services Engine (ISE) contains a set of default credentials that can be used by hackers to modify the configuration and settings of the device and even gain complete control over it.
The advisory was released on September 20 and the software updates that will address this vulnerability will be made available at the end of the month.
All the software and hardware product versions prior to 1.0.4.MR2 are affected by the weakness, so anyone who owns such solutions should verify if they are susceptible to a potential hit. To check the product's release number, the ise-node1/admin# command can be typed in the command-line interface.
The Cisco Identity Services Engine helps administrators create and manage access control policies, offering a highly accurate view on the entire network. The system relies on a large number of security measures, such as authentication, authorization and guest management services that are all combined on a single platform.
The networking solutions provider has assessed the potential damage and threat presented by the issue, using the Common Vulnerability Scoring System (CVSS). The base score obtained after calculations were made was 10 and the temporal score 9.5, these numbers being acquired from parameters such as access vector, access complexity, authentication, confidentiality impact, integrity impact and availability impact.
Customers are advised to “consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.“
Because there are no known workarounds for this issue, administrators who manage such appliances should immediately update them after the fix is released, to avoid any potential attempts made by hackers to breach the security of their network. The default credentials can be used to access the underlying database, giving the attacker total control over the device, fact which could later have devastating consequences.