AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
-
Cisco ASA Adaptive Security Appliance Software versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL VPN connections are affected by a cross-site scripting vulnerability. Versions 7.x are not affected.
The vulnerability is due to insufficient restrictions on access to the JavaScript-based Document Object Model (DOM) that the SSL VPN feature of Cisco ASA uses when clients browse web pages using the VPN web portal. If an unauthenticated, remote attacker can convince a user to visit a malicious page while the user is logged in to the secure portal, the attacker could execute arbitrary script or HTML code in the security context of the affected site.
Cisco has confirmed this vulnerability and released updated software.
The vulnerability is due to a failure to properly protect the DOM of the Clientless SSL VPN from unauthorized modification. The vulnerability is likely to be exploited in cases in which administrators allow users to enter arbitrary URLs that will be visited using the secure web portal. Systems that allow users to visit only URLs that have been defined by administrators are less likely to be affected. When administrators define the URLs, an attacker would need to take control of a website that resides at one of these URLs, or perform some sort of URL spoofing or hijacking to perform an attack.
Exploit code that demonstrates the cross-site scripting vulnerability is publicly available.
-
Cisco has released a Release Note Enclosure for Cisco bug ID CSCsy80694.
This vulnerability was reported to Cisco by Charles Henderson and David Byrne of Trustwave's SpiderLabs.
Vulnerable Products
Cisco ASA Software versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) are affected when they are running on Cisco ASA 5505, 5510, 5520, 5540, 5550, and 5580 devices.
Cisco ASA Software versions 7.x are not affected.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to configure the Clientless SSL VPN web portal to restrict users to administratively defined websites.
Administrators are advised to configure Web Access Control Lists (ACLs) to restrict users to internal or authorized resources only.
Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links prior to following them.
Users are advised not to visit untrusted websites or links.
-
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
A special download page on the Software Center contains fixed software releases at the following link: ASA-PSIRT
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial Release NA Final 2009-Jun-24
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.