https://community.cisco.com/t5/network-access-control/ise-2-6-vulnerability-web-server-tls-breach-attack/m-p/4440655#M568759 <P>Hi.</P><P>&nbsp;</P><P>I have a client, with this vulnerability.</P><P>&nbsp;</P><P>Vulnerability title: Web Server TLS BREACH Attack</P><P>&nbsp;</P><P>* By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream.</P><P>&nbsp;</P><P>Solution presented:</P><P>&nbsp;</P><P>We are currently unaware of a practical solution to this problem. Please consider the following workarounds.</P><P>Some of these mitigations may protect entire applications, while others may only protect individual web pages.</P><P>- Disable HTTP compression.<BR />- Separate the secrets from the user input.<BR />- Randomize the secrets in each client request.<BR />- Mask secrets (effectively randomizing by XORing with a random secret per request).<BR />- Protect web pages from CSRF attacks.<BR />- Obfuscate the length of web responses by adding random amounts of arbitrary bytes.</P><P>&nbsp;</P><P>Is it possible to apply this workaround on cisco ISE?</P> Wed, 28 Jul 2021 20:50:23 GMT Ricardo Matias Aires 2021-07-28T20:50:23Z https://community.cisco.com/t5/network-access-control/ise-2-6-vulnerability-web-server-tls-breach-attack/m-p/4440655#M568759 <P>Hi.</P><P>&nbsp;</P><P>I have a client, with this vulnerability.</P><P>&nbsp;</P><P>Vulnerability title: Web Server TLS BREACH Attack</P><P>&nbsp;</P><P>* By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream.</P><P>&nbsp;</P><P>Solution presented:</P><P>&nbsp;</P><P>We are currently unaware of a practical solution to this problem. Please consider the following workarounds.</P><P>Some of these mitigations may protect entire applications, while others may only protect individual web pages.</P><P>- Disable HTTP compression.<BR />- Separate the secrets from the user input.<BR />- Randomize the secrets in each client request.<BR />- Mask secrets (effectively randomizing by XORing with a random secret per request).<BR />- Protect web pages from CSRF attacks.<BR />- Obfuscate the length of web responses by adding random amounts of arbitrary bytes.</P><P>&nbsp;</P><P>Is it possible to apply this workaround on cisco ISE?</P> Wed, 28 Jul 2021 20:50:23 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-vulnerability-web-server-tls-breach-attack/m-p/4440655#M568759 Ricardo Matias Aires 2021-07-28T20:50:23Z https://community.cisco.com/t5/network-access-control/ise-2-6-vulnerability-web-server-tls-breach-attack/m-p/4440706#M568761 <P>There is no access to the underlying OS in ISE, so you cannot make changes to the web server to apply these mitigations.</P> <P>Is this vulnerability linked to a known CVE? If so, you can check if it is a known vulnerability in Cisco products via the <A href="https://tools.cisco.com/security/center/publicationListing.x" target="_blank" rel="noopener">Security Advisories</A> page.</P> <P>If this is not a known vulnerability and you have a detailed vulnerability report, you can submit it to the Cisco PSIRT team for review as per the <A href="https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html" target="_blank" rel="noopener">Security Vulnerability Policy</A>.</P> <P>As with other vulnerabilities related to the Web UI, you can mitigate the risk of a threat actor exploiting this vulnerability by limiting access to the Web UI to specific source management IPs/VLANs using the <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_basic_setup.html?bookSearch=true#ID626" target="_blank" rel="noopener">IP Access Restrictions</A> list.</P> Wed, 28 Jul 2021 23:38:44 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-vulnerability-web-server-tls-breach-attack/m-p/4440706#M568761 Greg Gibbs 2021-07-28T23:38:44Z