Document ID: 600
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090925-axg
Revision 1.0
For Public Release 2009 September 25 16:00 UTC (GMT)
Contents
ResponseAdditional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures
Cisco Response
This is the Cisco PSIRT response to the statements made by Alejandro Hernandez H. in his advisory: "Cisco ACE XML Gateway <= 6.0 Internal IP disclosure".
The original email/advisory is available at
http://seclists.org/fulldisclosure/2009/Sep/0369.html
Cisco would like to thank Alejandro Hernandez H. for discovering and reporting this vulnerability to Cisco.
This response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090925-axg
Additional Information
This vulnerability is documented in Cisco bug ID: CSCtb82159 ( registered customers only) .
For customers without access to Cisco's Bug Toolkit, the full Release Note for Cisco Bug ID CSCtb82159 has been made available here, as follows: :
Symptom
When generating a "Message-handling Errors" message, if an appropriate error handler is not found, the response discloses the Cisco ACE XML Gateway (AXG) and the Cisco ACE Web Application Firewall (WAF) client internal IP address.
Conditions
All versions prior to system software version 6.1 are vulnerable.
This vulnerability affects the Cisco ACE XML Gateway and the Cisco ACE Web Application Firewall.
Though the response by itself does not provide any way to compromise the device, this behavior discloses potentially valuable information about the internal network structure.
The disclosed address is not the address of the AXG or WAF, it is an address of its client, which in many cases is a load balancer.
The Internal IP address is included in the message-handling errors response if AXG or WAF was not able to find a matching handler for the request.
Workaround
There is currently no workaround for this vulnerability.
Further Problem Description
System software version 6.1 is expected to be available in November 2009.
Status of this Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Revision History
|
Revision 1.0 |
2009-September-25 |
Initial public release |
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
