January 2026 Assessment

Executive Summary

Google/Mandiant conducted a 7-day penetration test at CHLA spanning both external and internal attack surfaces. The external assessment (January 13-16) focused on perimeter services and wireless infrastructure. The internal assessment (January 19-23) targeted Active Directory, ISE policy enforcement, and lateral movement paths. Two significant findings emerged: a critical posture redirect ACL vulnerability permitting credential harvesting pre-authentication, and a high-severity XXE vulnerability in the ISE ERS API.

Engagement Schedule

Phase	Dates	CHLA Staff	Mandiant Lead
External Assessment	January 13-16, 2026	Vartan, Evan Rosado	James Hawk, Qifan Guo
Internal Assessment	January 19-23, 2026	Vartan, Ashley, Sarah	James Hawk, Qifan Guo

Phase

Dates

CHLA Staff

Mandiant Lead

External Assessment

January 13-16, 2026

Vartan, Evan Rosado

James Hawk, Qifan Guo

Internal Assessment

January 19-23, 2026

Vartan, Ashley, Sarah

James Hawk, Qifan Guo

Finding 1: PENTEST-POSTURE-ACL-001

Field	Value
Finding ID	PENTEST-POSTURE-ACL-001
Severity	CRITICAL
Category	Network Access Control — Posture Redirect ACL
CVSS	N/A (configuration weakness)
Affected	All wireless endpoints during posture assessment phase

Field

Value

Finding ID

PENTEST-POSTURE-ACL-001

Severity

CRITICAL

Attack Vector

Evil twin WiFi access point exploiting the overly permissive posture redirect ACL. During the window between 802.1X authentication and posture compliance, the redirect ACL permits Kerberos, SMB, and LDAP traffic — protocols that carry or negotiate credentials.

Technical Details

The posture redirect ACL applied during the compliance assessment window permits the following sensitive protocols:

Kerberos (TCP/UDP 88) — AS-REQ contains pre-authentication data; TGS-REQ reveals service targets
SMB (TCP 445) — NTLM authentication exchanges, NTLMv2 hashes harvestable via Responder
LDAP (TCP 389) — Bind credentials, directory enumeration

These protocols are permitted before the endpoint has been verified as compliant, creating a window where credential material transits the network to any destination — including an attacker-controlled access point.

Proof of Concept

Component	Detail
Hardware	Raspberry Pi 4 Model B
OS	Kali Linux (latest rolling)
WiFi Adapter	External USB (monitor mode capable)
Spoofed MAC	00:14:D1:B0:50:D4
Spoofed SSID	CHLA_Staff
Tools	hostapd-wpe, Responder, Wireshark

Component

Detail

Hardware

Raspberry Pi 4 Model B

Kali Linux (latest rolling)

WiFi Adapter

External USB (monitor mode capable)

Spoofed MAC

00:14:D1:B0:50:D4

Spoofed SSID

CHLA_Staff

Tools

hostapd-wpe, Responder, Wireshark

Attack Chain

Broadcast — Attacker deploys evil twin AP broadcasting CHLA_Staff SSID from concealed Raspberry Pi
Associate — Endpoint auto-connects to strongest signal; attacker AP accepts association
Redirect — Posture redirect ACL is applied; endpoint begins compliance check
Harvest — During the posture window, endpoint sends Kerberos AS-REQ, SMB negotiation, and LDAP binds — all permitted by the redirect ACL
Crack — Captured NTLMv2 hashes cracked offline (hashcat, rule-based attack)
Lateral Movement — Compromised credentials used to pivot into internal network segments

Proposed Remediation

Zero-trust posture redirect ACL — permit only what is required for posture assessment:

DHCP (UDP {port-dhcp-server}/{port-dhcp-client})
DNS (UDP/TCP {port-dns})
ISE Posture Agent (TCP 8905)
ISE Portal (TCP 8443)
HTTP/HTTPS for captive portal redirect (TCP 80/443)
Deny all else — explicitly block Kerberos, SMB, LDAP, and all other protocols

Full remediation details in Posture ACL Remediation.

Finding 2: CVE-2026-20029

Field	Value
CVE	CVE-2026-20029
Severity	HIGH
Type	XML External Entity (XXE) Injection
Component	ISE External RESTful Services (ERS) API
Affected Versions	ISE 3.1, 3.2, 3.3 (pre-patch)
CHLA Version	ISE 3.2 Patch 5 (vulnerable)

Field

Value

CVE

CVE-2026-20029

Severity

HIGH

Type

XML External Entity (XXE) Injection

Component

ISE External RESTful Services (ERS) API

Affected Versions

ISE 3.1, 3.2, 3.3 (pre-patch)

CHLA Version

ISE 3.2 Patch 5 (vulnerable)

Exposure Assessment

CHLA exposure is LOW despite the HIGH severity rating:

Only 5 ERS API accounts provisioned (all service accounts)
No external API access — ERS API restricted to management VLAN
Quarterly credential rotation enforced
MFA required for ISE admin console (ERS API uses basic auth with IP restriction)

Mitigations In Place

ERS API firewall rules restrict source IPs to authorized management stations
Rate limiting configured on API endpoints
Audit logging enabled — all ERS API calls logged to ISE MnT

Daily — Review failed authentications, unknown MAC addresses, policy set violations
Weekly — Compliance rate trending, top failed endpoints, certificate expiration warnings

Endpoint Hygiene

Platform	Endpoints	Compliance Rate
Windows	3,450	98.2%
macOS	845	96.7%
iOS	1,760	94.3%
Chromebooks	1,754	99.1%
WYSE Thin Clients	857	97.8%

January 2026 Assessment