Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1916
Views
5
Helpful
1
Replies

ISE 2.6 Vulnerability - Web Server TLS BREACH Attack

Go to solution
Ricardo Matias Aires
Level 1
Level 1

‎07-28-2021 01:50 PM

Hi.

 

I have a client, with this vulnerability.

 

Vulnerability title: Web Server TLS BREACH Attack

 

* By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream.

 

Solution presented:

 

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Some of these mitigations may protect entire applications, while others may only protect individual web pages.

- Disable HTTP compression.
- Separate the secrets from the user input.
- Randomize the secrets in each client request.
- Mask secrets (effectively randomizing by XORing with a random secret per request).
- Protect web pages from CSRF attacks.
- Obfuscate the length of web responses by adding random amounts of arbitrary bytes.

 

Is it possible to apply this workaround on cisco ISE?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎07-28-2021 04:38 PM

There is no access to the underlying OS in ISE, so you cannot make changes to the web server to apply these mitigations.

Is this vulnerability linked to a known CVE? If so, you can check if it is a known vulnerability in Cisco products via the Security Advisories page.

If this is not a known vulnerability and you have a detailed vulnerability report, you can submit it to the Cisco PSIRT team for review as per the Security Vulnerability Policy.

As with other vulnerabilities related to the Web UI, you can mitigate the risk of a threat actor exploiting this vulnerability by limiting access to the Web UI to specific source management IPs/VLANs using the IP Access Restrictions list.

View solution in original post

1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎07-28-2021 04:38 PM

There is no access to the underlying OS in ISE, so you cannot make changes to the web server to apply these mitigations.

Is this vulnerability linked to a known CVE? If so, you can check if it is a known vulnerability in Cisco products via the Security Advisories page.

If this is not a known vulnerability and you have a detailed vulnerability report, you can submit it to the Cisco PSIRT team for review as per the Security Vulnerability Policy.

As with other vulnerabilities related to the Web UI, you can mitigate the risk of a threat actor exploiting this vulnerability by limiting access to the Web UI to specific source management IPs/VLANs using the IP Access Restrictions list.

Customers Also Viewed These Support Documents