Date: 27 April 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2009.0102 AUSCERT Advisory
[Cisco]
Cisco ASA: Multiple Vulnerabilities
27 April 2009
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Cisco ASA 7.2.1
Cisco ASA 7.2.2
Cisco ASA 7.2.34
Cisco ASA 7.3
Cisco ASA 7.3.1
Cisco ASA 7.4
Cisco ASA 7.4.27
Cisco ASA 8.0.1.2
Cisco ASA 8.0.2
Cisco ASA 8.0.2.11
Cisco ASA 8.0.3
Cisco ASA 8.0.4
Cisco ASA 8.0.4.25
Cisco ASA 8.0.4.28
Operating System: Cisco
Impact: Execute Arbitrary Code/Commands
Cross-site Scripting
Access: Remote/Unauthenticated
Member content until: Monday, May 25 2009
Comment: Proof of concept code is available for this vulnerability.
OVERVIEW:
A vulnerability has been identified in Cisco Adaptive Security
Appliance (ASA) clientless SSL VPN feature.
IMPACT:
The vendor describes the vulnerability as being due to "...
insufficient input validation within the WebVPN clientless mode
feature." This vulnerability could be exploited by attackers to
allow cross-site scripting attacks, and potentially the execution
of arbitrary code. [1]
MITIGATION:
While the vulnerability has been confirmed by the vendor, no updates
are yet available. The vendor recommends restricting access to affected
systems to trusted users only, and advises that users should not follow
unsolicited links, and always ensure that they have verified the
authenticity of links prior to following them. [1]
REFERENCES:
[1] Cisco ASA Software WebVPN Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=17950
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ9SOqNVH5XJJInbgRAqU5AJ0dbDLw6Gk/ZsDnyroMQqGStKYYuACcDQy2
HEF+e6bJCUNShdb/zSFYAWc=
=Gp1A
-----END PGP SIGNATURE-----
|