Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0181 -- [Win][UNIX/Linux][Cisco] Cisco Security Response: Cross-Site Scripting Vulnerability in Online Help System 21 March 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Secure Access Control Server (ACS) for Windows version 4.1 Cisco Secure ACS Solution Engine version 4.1 Cisco VPN Client Cisco Unified Personal Communicator. Cisco MeetingPlace Cisco Unified MeetingPlace Cisco CallManager Cisco IP Communicator Cisco Unified Video Advantage Cisco Unified Videoconferencing 3545, 3540, 3515, 3527, Cisco WAN Manager Cisco Network Analysis Module for Catalyst 6500 switches Cisco Network Analysis Module for 7600 series routers CiscoWorks and all products that integrate with CiscoWorks Cisco Wireless LAN Solution Engine Cisco 2006 Wireless LAN Controllers Cisco Wireless Control System Publisher: cisco Operating System: Cisco UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Scripting Access: Remote/Unauthenticated Original Bulletin: http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Response: Cross-Site Scripting Vulnerability in Online Help System http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml Revision 1.0 For Public Release 2007 March 15 1700 UTC (GMT) - - ------------------------------------------------------------------------- Cisco Response ============== A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL. Multiple Cisco products are affected because the vulnerable online help system is used by several Cisco products. This response is posted at http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml Additional Information ====================== The vulnerability exists specifically in the content search feature of the online help system. This feature allows the user to search for specific keywords in the help contents. The search feature is implemented through an HTML form and scripting code. The vulnerability exists because the search code in the file PreSearch.html (or in the file PreSearch.class, depending of the product) fails to properly sanitize all of the user's input. The vulnerability is triggered when a search keyword that includes scripting code enclosed by <script> and </script> tags is entered in the text field of the search form. In some cases, the initial text is sanitized, but further text is not, so scripting code after the initial text can also trigger the vulnerability. For example: "some text <script>alert('I am a script')</script>". User intervention is required for an attacker to be able to successfully exploit this vulnerability: an attacker must be able to trick a user into following a malicious, specially crafted, URL. In some cases, the user must be authenticated to the web interface offered by the product for management or regular use. The following Cisco products are affected by this vulnerability (all versions are affected unless a specific version is explicitely mentioned): * Cisco Secure Access Control Server (ACS) for Windows version 4.1 and Cisco Secure ACS Solution Engine version 4.1. Cisco Bug ID CSCsh91761 * Cisco VPN Client. Cisco Bug ID CSCsh52300 * Cisco Unified Personal Communicator. Cisco Bug ID CSCsh91884 * Cisco MeetingPlace and Cisco Unified MeetingPlace, end-user and Admin help systems. Cisco Bug ID CSCsi12435 * Cisco Unified MeetingPlace Express, end-user and Admin help systems. Cisco Bug ID CSCsh91901 * Cisco CallManager. Cisco Bug ID CSCsi10405 * Cisco IP Communicator. Cisco Bug ID CSCsh91953 * Cisco Unified Video Advantage (formerly Cisco VT Advantage). Cisco Bug ID CSCsh93070 * Cisco Unified Videoconferencing 3545 System, Cisco Unified Videoconferencing 3540 Series Videoconferencing System, Cisco Unified Videoconferencing 3515 MCU, Cisco Unified Videoconferencing 3527 PRI Gateway, Cisco Unified Videoconferencing 3526 PRI Videoconferencing Gateway, and Cisco Unified Videoconferencing Manager. Cisco Bug ID CSCsh93854 * Cisco WAN Manager (CWM). Cisco Bug ID CSCek71039 * Cisco Security Device Manager. Cisco Bug ID CSCsh95009 * Cisco Network Analysis Module (NAM) for Catalyst 6500 series switches and Cisco 7600 series routers, and for modular IOS routers. Cisco Bug ID CSCsi10818 * CiscoWorks and all products that integrate with CiscoWorks. Cisco Bug ID CSCsi10674 Affected CiscoWorks-related products include: + Management Center for IPS Sensors + Security Monitor + CiscoWorks LAN Management Solution + Router Management Essentials + Common Services + Device Fault Manager + CiscoView + Internetwork Performance Monitor (IPM) + Campus Manager * Cisco Wireless LAN Solution Engine (WLSE). Cisco Bug ID CSCsi10982 * Cisco 2006 Wireless LAN Controllers (WLC). Cisco Bug ID CSCsi13743 * Cisco Wireless Control System (WCS). Cisco Bug ID CSCsi13763 In some cases it is possible to eliminate the vulnerability by removing or renaming the files PreSearch.html and PreSearch.class (if they exist - use your operating system's file search feature to locate them.) Please note that this workaround is not applicable to appliances and other products where direct access to the file system is not available, and that by removing or renaming these files it will no longer be possible to search the product's online help contents. For additional information on Cross-Site Scripting (XSS) attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Intelligence Response "Understanding Cross-Site Scripting (XSS) Threat Vectors", available at: http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xss.shtml The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this document. This issue was independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The original reports were for the Cisco CallManager and for the Cisco VPN Client, respectively. Further investigation revealed a number of additional affected products. We would like to thank Erwin Paternotte, Fox-IT, and Cassio Goldschmidt for bringing this issue to our attention and for working with us towards coordinated disclosure of the issue. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History ================ +---------------------------------------------------------------------+ | Revision | | Initial public release in coordination | | 1.0 | 2007-March-15 | with Erwin Paternotte from Fox-IT and | | | | with Cassio Goldschmidt. | +---------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go /psirt. - - ----------------------------------------------------------------------------- All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved. - - ----------------------------------------------------------------------------- Updated: Mar 15, 2007 Document ID: 82421 - - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFF+YXg8NUAbBmDaxQRAiGbAJ9rmm2liqco3ghbP28eX+YFJCuHGwCfW14f MmttxQPKVWGFhLCoaZNQyPQ= =PSV6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRgB0GCh9+71yA2DNAQJOAQQAmG3PsE8i9k7rasK/4aTd/40/FKXTAG9H c0JT3Hjs/EUhPS4Rh+f6F7v4SnnEzueb+qnfPpwhXrm4gQoGNL8lgzq16yRm5uL2 M1YflUq+MNs+y6Qucg/OSyz4tpSAZYInphRSuDo67x3rgnNz1Wi9gNg1DN49SQnE Wgp6vV6pyTg= =9veS -----END PGP SIGNATURE-----