-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2009.1003
                                   Cisco
                                6 July 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Cisco Adaptive Security Appliances Firmware (ASA)	
                      8.0.1.2, .2, .2.11, .3, .4, .4.25, .4.28, .4.32 | 8.1 .1, 
                      .2, .2.15, .2.16, .2.19, .2.23, .2.24, Base | 8.2 .0.45
Operating System:     Cisco
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
Resolution:           Patch
CVE Names:            CVE-2009-1201 CVE-2009-1202 CVE-2009-1203
Member content until: Wednesday, August  5 2009

OVERVIEW

        Two cross site scripting vulnerabilities and a credential theft 
        weakness have been identified in Cisco ASA (Adaptive Security 
        Appliance).


IMPACT

        The vendor provides the following details:
        
        (CVE-2009-1201)
        "An unauthenticated, remote attacker could run arbitrary script or 
        HTML code in the security context of the affected site.  This action 
        could allow the attacker to obtain sensitive browser-based 
        information, such as authentication cookies or recently submitted 
        data.  The attacker may also be able to modify the look and feel of 
        the affected site." [1]
        
        (CVE-2009-1202)
        "An unauthenticated, remote attacker could exploit this vulnerability 
        to run arbitrary script or HTML code in the security context of the 
        affected site. An exploit could allow the attacker to access sensitive 
        browser based information such as authentication cookies or recently 
        submitted data. An exploit could also allow an attacker to modify the 
        appearance of the affected site." [2]
        
        (CVE-2009-1203)
        "An unauthenticated, remote attacker who can convince a user to visit 
        a malicious CIFS or FTP site while the user is logged in to the secure 
        portal could use this vulnerability to obtain user credentials." [3]


MITIGATION

        The vendor recommends that administrators apply the appropriate 
        updates. [4]


REFERENCES

        [1] Cisco ASA Adaptive Security Appliance Clientless SSL VPN DOM Cross-Site Scripting Vulnerability
            http://tools.cisco.com/security/center/viewAlert.x?alertId=18373

        [2] Cisco ASA Adaptive Security Appliance Software Clientless SSL VPN Rot13-Encoded Cross-Site Scripting Vulnerability
            http://tools.cisco.com/security/center/viewAlert.x?alertId=18442

        [3] Cisco ASA Adaptive Security Appliance Clientless SSL VPN CIFS and FTP Credential Theft Vulnerability
            http://tools.cisco.com/security/center/viewAlert.x?alertId=18536

        [4] Download Software
            http://www.cisco.com/public/sw-center/index.shtml

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKUZurNVH5XJJInbgRAufzAJ4jXnRE5/0rjfV/lf6+J4Ct3b2mbACfYkYp
f8xyfasTwO5R7HFOe2RSFa8=
=RLXx
-----END PGP SIGNATURE-----