CVE-2017-12261

Name of the Vulnerable Software and Affected Versions Cisco Identity Services Engine (ISE) versions 1.4 through 2.1.0 Cisco ISE Express versions 1.4 through 2.1.0 Cisco ISE Virtual Appliance versions 1.4 through 2.1.0

Description A vulnerability in the restricted shell of the Cisco Identity Services Engine (ISE) accessible via SSH could allow an authenticated, local attacker to run arbitrary CLI commands with elevated privileges. The issue is due to incomplete input validation of user input for CLI commands issued at the restricted shell. An attacker could exploit this by authenticating to the targeted device and executing commands that could lead to elevated privileges, requiring valid user credentials to the device.

Recommendations For Cisco Identity Services Engine (ISE) versions 1.4 through 2.1.0, consider restricting access to the SSH interface until a patch is available. For Cisco ISE Express versions 1.4 through 2.1.0, restrict the use of CLI commands that could lead to elevated privileges. For Cisco ISE Virtual Appliance versions 1.4 through 2.1.0, limit the execution of arbitrary CLI commands to minimize the risk of exploitation. As a temporary workaround, consider disabling the use of the restricted shell via SSH until a patch is available.