Information on mitigating cross-site scripting attacks is available for the Cisco IronPort AsyncOS Spam Quarantine login page cross-site scripting vulnerability.
Description
Cisco IronPort AsyncOS contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser.
The vulnerability exists in the login page of the Spam Quarantine feature. An unauthenticated, remote attacker could exploit this vulnerability by creating a malicious link and convincing a targeted user to follow it. If the user clicks the link, the attacker could execute arbitrary script code in the user's browser in the security context of the affected site.
A proof-of-concept URL is publicly available.
Cisco has confirmed this vulnerability and updated software is available.
Warning Indicators
IronPort Series C, M, and X appliances running AsyncOS versions prior to 6.5.2 are vulnerable. IronPort Series S appliances are not affected.
Users can determine if an appliance is running a vulnerable version of AsyncOS by typing the version command in the command line interface (CLI); the web user interface on the System Administration: System Upgrade page also shows the version.
IntelliShield Analysis
In order to exploit this vulnerability, an attacker will need to lure a targeted user into clicking on a malicious link. This will typically require the use of social engineering tactics, such as sending the link via e-mail, instant messaging, or other forms of communication.
This vulnerability can only be exploited to gain access to the Spam Quarantine component of the affected software. The device's administrative console is not at risk.
Vendor Announcements
Cisco has confirmed this vulnerability.
This vulnerability was reported to Cisco by Secunia.
Impact
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary script code in the user's browser in the security context of the affected site. Code execution could allow the attacker to take actions as the user on that site or to obtain recently submitted data.
Technical Information
The vulnerability exists due to a lack of input sanitation in the referrer parameter of the Spam Quarantine login page. An unauthenticated, remote attacker could construct a malicious link designed to inject script code in the referrer parameter of the login page. By convincing a targeted user to follow this link, the attacker could execute arbitrary script code in the user's browser in the security context of the affected site.
Safeguards
Administrators are advised to apply the appropriate updates.
Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links prior to following them.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
The Cisco Applied Intelligence team has created the following document to guide administrators in identifying and mitigating cross-site scripting attacks prior to applying updated software: cisco-amb-20060922-understanding-xss.
Patches/Software
Administrators can apply fixes by using the upgrade command from the command line interface, or by using the System Administrator tab of the graphical user interface (GUI) to select the System Upgrade option. In either case, version 6.5.2 contains the fix.
Alert History
Version 1, June 3, 2009, 11:43 AM: Cisco IronPort AsyncOS contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser. Updates are available.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
