cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

464
Views
5
Helpful
1
Replies

ISE 2.6 Vulnerability - Web Server TLS BREACH Attack

Hi.

 

I have a client, with this vulnerability.

 

Vulnerability title: Web Server TLS BREACH Attack

 

* By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream.

 

Solution presented:

 

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Some of these mitigations may protect entire applications, while others may only protect individual web pages.

- Disable HTTP compression.
- Separate the secrets from the user input.
- Randomize the secrets in each client request.
- Mask secrets (effectively randomizing by XORing with a random secret per request).
- Protect web pages from CSRF attacks.
- Obfuscate the length of web responses by adding random amounts of arbitrary bytes.

 

Is it possible to apply this workaround on cisco ISE?

1 ACCEPTED SOLUTION

Accepted Solutions
Greg Gibbs
Cisco Employee

There is no access to the underlying OS in ISE, so you cannot make changes to the web server to apply these mitigations.

Is this vulnerability linked to a known CVE? If so, you can check if it is a known vulnerability in Cisco products via the Security Advisories page.

If this is not a known vulnerability and you have a detailed vulnerability report, you can submit it to the Cisco PSIRT team for review as per the Security Vulnerability Policy.

As with other vulnerabilities related to the Web UI, you can mitigate the risk of a threat actor exploiting this vulnerability by limiting access to the Web UI to specific source management IPs/VLANs using the IP Access Restrictions list.

View solution in original post

1 REPLY 1
Greg Gibbs
Cisco Employee

There is no access to the underlying OS in ISE, so you cannot make changes to the web server to apply these mitigations.

Is this vulnerability linked to a known CVE? If so, you can check if it is a known vulnerability in Cisco products via the Security Advisories page.

If this is not a known vulnerability and you have a detailed vulnerability report, you can submit it to the Cisco PSIRT team for review as per the Security Vulnerability Policy.

As with other vulnerabilities related to the Web UI, you can mitigate the risk of a threat actor exploiting this vulnerability by limiting access to the Web UI to specific source management IPs/VLANs using the IP Access Restrictions list.

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel