Cisco Patches XSS Flaw in Security Appliances

There’s a reflected cross-site scripting vulnerability in a variety of Cisco security appliances that enables a remote, unauthenticated attacker to execute arbitrary code in the context of the user.

The vulnerability affects the Cisco Email Security Appliance, the Cisco Web Security Appliance and the Content Security Management Appliance. Cisco has released updated software to fix the flaw for each of the affected appliances. The problem lies in the AsyncOS, the operating system that runs on the Cisco security appliances.

The problem lies in the AsyncOS, the operating system that runs on the Cisco security appliances.

“Cisco AsyncOS, the underlying OS for the Cisco Email Security Appliance, Web Security Appliance, and Content Security Management Appliance, contains a reflected cross-site scripting vulnerability in the reports overview page of the management interface. An attacker is able to load arbitrary script in the context of the user’s browser through the date_range parameter,” an advisory from the CERT/CC at Carnegie Mellon University says.

The vulnerability affects the following products from Cisco:

  • Cisco Email Security Appliance 8.0 and earlier
  • Cisco Web Security Appliance 8.0 and earlier
  • Content Security Management Appliance 8.3 and earlier

Cisco officials said that the vulnerability could be exploited through a simple malicious URl.

“The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing the user to access a malicious link,” the Cisco advisory says.

The CERT/CC advises customers who can’t upgrade immediately to consider restricting access to only trusted hosts.

“As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location,” the advisory says.

Suggested articles