Cisco Identity Services Engine RADIUS Suppression Denial of Service Vulnerability
TL;DR 📌
A vulnerability in Cisco Identity Services Engine (ISE) could allow unauthenticated attackers to cause a denial of service (DoS) by exploiting a logic error in RADIUS request processing. Affected versions include 3.4.0 and its patches. Cisco recommends upgrading to fixed software or disabling a specific setting as a workaround.
What happened 🕵️♂️
A vulnerability has been identified in the RADIUS setting “Reject RADIUS requests from clients with repeated failures” in Cisco Identity Services Engine (ISE). This flaw allows an unauthenticated remote attacker to send crafted RADIUS access requests that can cause Cisco ISE to restart unexpectedly, leading to a denial of service (DoS) condition.
Affected products 🖥️
The following Cisco ISE releases are affected:
- 3.4.0
- 3.4 Patch 1
- 3.4 Patch 2
- 3.4 Patch 3
The default configuration has the vulnerable setting enabled. Cisco ISE Passive Identity Connector (ISE-PIC) is confirmed not to be affected.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 3.3 and earlier | Not vulnerable | |
| 3.4 | 3.4 Patch 4 | |
| 3.5 | Not vulnerable | |
| 1.0 | Initial public release. | |
| Cisco ISE | 3.4 Patch 4 | 3.4 |
Workarounds 🧯
Administrators can disable the vulnerable setting by:
- Navigating to Administration > System > Settings > Protocols > RADIUS in the Cisco ISE web UI.
- Unchecking the “Reject RADIUS requests from clients with repeated failures” checkbox.
This setting is enabled by default, so disabling it will mitigate the vulnerability until a software upgrade is performed. However, it is advised to re-enable the setting after upgrading.
Risk in context 🎯
With a CVSS score of 8.6, this vulnerability is rated as High. The exposure is significant as it allows unauthenticated access to cause a DoS. The risk is particularly notable for internet-facing deployments, where attackers can exploit this flaw without needing credentials.
Fast facts ⚡
- CVSS Score: 8.6 (High)
- Vulnerable Setting: Reject RADIUS requests from clients with repeated failures
- Affected Versions: Cisco ISE 3.4.0 and patches
- Mitigation: Disable the vulnerable setting or upgrade to fixed software
For leadership 🧭
This vulnerability poses a High risk (CVSS 8.6) due to its potential for denial of service, allowing unauthenticated attackers to disrupt services. The affected setting is enabled by default, making many deployments vulnerable. Immediate action is required to either disable this setting or upgrade to the fixed software version (3.4 Patch 4) within 7 days to mitigate risk.
- Now: Disable the vulnerable RADIUS setting.
- Next: Plan and execute the upgrade to fixed software.
- Later: Re-enable the RADIUS setting after confirming the upgrade is successful.
Operational impact is minimal, requiring a brief maintenance window with no expected configuration drift.