Vulnerability Alert

Cisco IronPort AsyncOS Spam Quarantine Login Page Cross-Site Scripting Vulnerability

 
Threat Type:CWE-79: Cross-Site Scripting (XSS)
IntelliShield ID:18365
Version:2
First Published:2009 June 03 15:43 GMT
Last Published:2009 June 04 15:23 GMT
Port: Not available
CVE:CVE-2009-1162
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.4
 
Version Summary:

Information on mitigating cross-site scripting attacks is available for the Cisco IronPort AsyncOS Spam Quarantine login page cross-site scripting vulnerability.

 
 
Description

Cisco IronPort AsyncOS contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser.

The vulnerability exists in the login page of the Spam Quarantine feature.? An unauthenticated, remote attacker could exploit this vulnerability by creating a malicious link and convincing a targeted user to follow it.? If the user clicks the link, the attacker could execute arbitrary script code in the user's browser in the security context of the affected site.

A proof-of-concept URL is publicly available.

Cisco has confirmed this vulnerability and updated software is available.

 
Warning Indicators

IronPort Series C, M, and X appliances running AsyncOS versions prior to 6.5.2 are vulnerable.? IronPort Series S appliances are not affected.

Users can determine if?an appliance is?running a vulnerable version of AsyncOS by typing the version command in the command line interface (CLI); the web user interface on the System Administration: System Upgrade page also shows the version.

 
IntelliShield Analysis

In order to exploit this vulnerability, an attacker will need to lure a targeted user into clicking on a malicious link.? This will typically require the use of social engineering tactics, such as sending the link via e-mail, instant messaging, or other forms of communication.

This vulnerability can only be exploited to gain access to the Spam Quarantine component of the affected software.? The device's administrative console is not at risk.

 
Vendor Announcements

Cisco has confirmed this vulnerability.

This vulnerability was reported to Cisco by Secunia.

 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary script code in the user's browser in the security context of the affected site.? Code execution could allow the attacker to take actions as the user on that site or to obtain recently submitted data.

 
Technical Information

The vulnerability exists due to a lack of input sanitation in the referrer parameter of the Spam Quarantine login page.? An unauthenticated, remote attacker could construct a malicious link designed to inject script code in the referrer parameter of the login page.? By convincing a targeted user to follow this link, the attacker could execute arbitrary script code in the user's browser in the security context of the affected site.

 
Safeguards

Administrators are advised to apply the appropriate updates.

Users are advised not to follow unsolicited links.? Users should verify the authenticity of unexpected links prior to following them.

Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.

The Cisco Applied Intelligence team has created the following document to guide administrators in identifying and mitigating cross-site scripting attacks prior to applying updated software: cisco-amb-20060922-understanding-xss.

 
Patches/Software

Administrators can apply fixes by using the upgrade command from the command line interface, or by using the System Administrator tab of the graphical user interface (GUI) to select the System Upgrade option.? In either case, version 6.5.2? contains the fix.

 
Alert History
 

Version 1, June 3, 2009, 11:43 AM: Cisco IronPort AsyncOS contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser.? Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IronPort Systems, IncAsyncOS for IronPort EMail Security Appliances 6.4.0 -273 | 6.0.0 -754, -757 | 6.1.0 -301, -304, -306, -307 | 6.1.5 -110 | 6.1.6 -003 | 6.3.5 -003 | 6.3.6 -003 | 6.5.0 -405 | 6.5.1 -005

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield