Cisco addressed high-impact vulnerability CVE-2023-20243 in the Cisco Identity Services Engine (ISE), allowing attackers to stop processing Radius packets.
This vulnerability, with a base score of 8.6, was found during the resolution of a Cisco TAC support case released on September 6, 2023.
Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations.
Cisco ISE PSNs configured with RADIUS are impacted by this vulnerability, and if it is used for TACACS only, the device is unaffected.
Recommendations:
There are no workarounds that address this vulnerability. However, several potential mitigations may help address this vulnerability.
Customers should turn off RADIUS accounting on the network access device (NAD), sending the crafted packets to the Cisco ISE PSN.
Before employing any workaround or mitigation in their environments, Customers should evaluate their test environment based on their conditions.
Customers should be aware that any workaround or mitigation implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations.
Cisco has released free software updates that address the vulnerability described in this advisory.
Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and those who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting Cisco.