07-28-2021 01:50 PM
Hi.
I have a client, with this vulnerability.
Vulnerability title: Web Server TLS BREACH Attack
* By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream.
Solution presented:
We are currently unaware of a practical solution to this problem. Please consider the following workarounds.
Some of these mitigations may protect entire applications, while others may only protect individual web pages.
- Disable HTTP compression.
- Separate the secrets from the user input.
- Randomize the secrets in each client request.
- Mask secrets (effectively randomizing by XORing with a random secret per request).
- Protect web pages from CSRF attacks.
- Obfuscate the length of web responses by adding random amounts of arbitrary bytes.
Is it possible to apply this workaround on cisco ISE?
Solved! Go to Solution.
07-28-2021 04:38 PM
There is no access to the underlying OS in ISE, so you cannot make changes to the web server to apply these mitigations.
Is this vulnerability linked to a known CVE? If so, you can check if it is a known vulnerability in Cisco products via the Security Advisories page.
If this is not a known vulnerability and you have a detailed vulnerability report, you can submit it to the Cisco PSIRT team for review as per the Security Vulnerability Policy.
As with other vulnerabilities related to the Web UI, you can mitigate the risk of a threat actor exploiting this vulnerability by limiting access to the Web UI to specific source management IPs/VLANs using the IP Access Restrictions list.
07-28-2021 04:38 PM
There is no access to the underlying OS in ISE, so you cannot make changes to the web server to apply these mitigations.
Is this vulnerability linked to a known CVE? If so, you can check if it is a known vulnerability in Cisco products via the Security Advisories page.
If this is not a known vulnerability and you have a detailed vulnerability report, you can submit it to the Cisco PSIRT team for review as per the Security Vulnerability Policy.
As with other vulnerabilities related to the Web UI, you can mitigate the risk of a threat actor exploiting this vulnerability by limiting access to the Web UI to specific source management IPs/VLANs using the IP Access Restrictions list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide