A critical vulnerability, CVE-2023-20243, has been found in the RADIUS (Remote Authentication Dial-In User Service) message processing feature of the Cisco Identity Services Engine (ISE). This vulnerability can be exploited by an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets. This may result in legitimate users being denied authentication and access to the network or service.

Vulnerability Details

This vulnerability is due to improper handling of specific RADIUS accounting requests. An attacker could exploit this vulnerability by sending a crafted authentication request to a network access device (NAD) that uses Cisco ISE for authentication, authorization, and accounting (AAA). This would eventually lead the NAD to send a RADIUS accounting request packet to Cisco ISE. The attacker could also exploit this vulnerability directly if the RADIUS shared secret is known.

A successful exploit could allow the attacker to cause the RADIUS process to unexpectedly restart, resulting in authentication or authorization timeouts and denying legitimate users access to the network or service. Clients who are already authenticated to the network would not be affected.

Code Snippet

The following is an example of an attacker crafting an authentication request to exploit this vulnerability:

import socket

# Using IP/hostname and port of the target Cisco ISE
target_ip = "192..2.1"
target_port = 1645

# Crafted RADIUS accounting request packet
crafted_packet = b"\x04\x01\x00\x18\xc3\xaemA\x7f\xbbzy6\x03\x9cg\xd1READY\xcMY_SECRET"

# Sending forged packet
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(crafted_packet, (target_ip, target_port))

Recovery Process

If the vulnerability is successfully exploited, a manual restart of the affected Policy Service Node (PSN) may be required to recover the ability to process RADIUS packets.

References

For more information about this vulnerability and the affected Cisco Identity Services Engine (ISE) products, please refer to the following links:

1. Original Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20220320-ise-radius
2. Cisco ISE Product Information: https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html
3. RADIUS Protocol Information: https://en.wikipedia.org/wiki/RADIUS

Conclusion

CVE-2023-20243 is a severe vulnerability in Cisco Identity Services Engine's RADIUS message processing. It can be exploited by unauthenticated, remote attackers to cause authentication and access denials for legitimate users. Network administrators should apply the necessary patches and updates to the affected systems promptly to mitigate risks and safeguard network resources.

Timeline

Published on: 09/06/2023 18:15:08 UTC
Last modified on: 09/19/2023 21:02:44 UTC