Cisco Identity Services Engine RADIUS Denial of Service Vulnerability

🚨 SEVERITY: HIGH — CVSS 8.6 Security Advisory

TL;DR 📌

A vulnerability in the Cisco Identity Services Engine (ISE) related to RADIUS message processing could allow an unauthenticated attacker to trigger a denial of service (DoS) condition. Cisco has released software updates to address this issue, but there are no workarounds available.

What happened 🕵️‍♂️

Cisco has identified a vulnerability in the RADIUS message processing feature of Cisco Identity Services Engine (ISE). This flaw allows an unauthenticated, remote attacker to send specific authentication requests that can cause the Cisco ISE to reload, leading to a denial of service (DoS) condition. The vulnerability is attributed to improper handling of certain RADIUS requests.

Affected products 🖥️

The vulnerability affects Cisco ISE when it is configured with RADIUS authentication services. Notably, RADIUS services are enabled by default. If Cisco ISE is used solely for TACACS+, it is not affected by this vulnerability.

Fixed software 🔧

Upgrade to at least the first fixed release in your train (or later):

Product / Release Train First Fixed Release Notes
ISE / ISE-PIC 3.3 and earlier Not vulnerable
ISE / ISE-PIC 3.4 3.4P1
ISE / ISE-PIC 1.0 Initial public release.

Workarounds 🧯

There are no workarounds available to mitigate this vulnerability.

Risk in context 🎯

With a CVSS score of 8.6, this vulnerability is classified as HIGH severity. Organizations using Cisco ISE with RADIUS authentication should prioritize applying the fixed software updates to prevent potential exploitation that could lead to service disruptions.

Fast facts ⚡

  • Vulnerability: Cisco Identity Services Engine RADIUS Denial of Service
  • CVSS Score: 8.6 (HIGH)
  • Exploitation: Possible via unauthenticated remote access
  • Fixed Software: Cisco ISE 3.4P1
  • Workarounds: None available

For leadership 🧭

This advisory highlights a critical vulnerability that could impact the availability of Cisco ISE services. It is essential for organizations to assess their use of Cisco ISE with RADIUS authentication and ensure that they apply the necessary software updates promptly. Failure to do so may expose the organization to service interruptions and potential security risks.