Re: XSS vulnerability in the online help system of several Cisco products

[Eloy Paris <elparis () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Cassio,

On Thu, Mar 15, 2007 at 05:41:31PM -0000, cassio () mail com wrote:

> What: cross-site scripting (XSS) vulnerability in the online help
> system distributed with several Cisco products
>
> Release Date: 03-15-2007
>
> Application: 14 different applications verified by Cisco
> up to now. For a complete list of affected products see
> http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
>
> Vendor status: Replicated and verified by Cisco Systems, patch available.
>
> Overview: 
>
>  There exists a cross site scripting in Cisco VPN client in the search
>  engine of the HTML help file. The result is that when a specially
>  crafted search is performed, arbitrary code running with current
>  logged user privilege can be executed on the host in question.
>
> Details: 
>
>  Cisco online help provides an HTML based search feature. During my
>  investigation it was discovered that a specially crafted query can
>  lead to script execution despite of attempts to cleanse user input by
>  eliminating special characters such as ?<>;:? from the begging and
>  end of the search string as observed on the HTML code.
>
>  The result is script code execution in the local user context in the
>  host. Preliminary tests concluded the system is vulnerable with most
>  popular web browsers such as Microsoft Internet Explorer 7.0 and
>  Mozilla Firefox 2.0 fully patched.
>
>  User intervention (e.g. clicking on a malicious link) is necessary to
>  trigger the exploit.

Thanks for bringing this issue to our attention; we confirm your
findings. This online help system is actually used by several Cisco
products so in addition to the Cisco VPN Client, where you originally
found this problem on, the following products are also affected:

- ----------------------------------------------------------------------
* Cisco Secure Access Control Server (ACS) for Windows version 4.1 and
Cisco Secure ACS Solution Engine version 4.1. Cisco Bug ID CSCsh91761.

* Cisco VPN Client. Cisco Bug ID CSCsh52300.

* Cisco Unified Personal Communicator. Cisco Bug ID CSCsh91884.

* Cisco MeetingPlace and Cisco Unified MeetingPlace, end-user and Admin
help systems. Cisco Bug ID CSCsi12435.

* Cisco Unified MeetingPlace Express, end-user and Admin help systems.
Cisco Bug ID CSCsh91901.

* Cisco CallManager. Cisco Bug ID CSCsi10405.

* Cisco IP Communicator. Cisco Bug ID CSCsh91953.

* Cisco Unified Video Advantage (formerly Cisco VT Advantage). Cisco Bug
ID CSCsh93070.

* Cisco Unified Videoconferencing 3545 System, Cisco Unified
Videoconferencing 3540 Series Videoconferencing System, Cisco Unified
Videoconferencing 3515 MCU, Cisco Unified Videoconferencing 3527 PRI
Gateway, Cisco Unified Videoconferencing 3526 PRI Videoconferencing
Gateway, and Cisco Unified Videoconferencing Manager. Cisco Bug ID
CSCsh93854.

* Cisco WAN Manager (CWM). Cisco Bug ID CSCek71039.

* Cisco Security Device Manager. Cisco Bug ID CSCsh95009.

* Cisco Network Analysis Module (NAM) for Catalyst 6500 series switches
and Cisco 7600 series routers, and for modular IOS routers. Cisco Bug ID
CSCsi10818.

* CiscoWorks and all products that integrate with CiscoWorks. Cisco Bug
ID CSCsi10674.

  Affected CiscoWorks-related products include:

    - Management Center for IPS Sensors
    - Security Monitor
    - CiscoWorks LAN Management Solution
    - Router Management Essentials
    - Common Services
    - Device Fault Manager
    - CiscoView
    - Internetwork Performance Monitor (IPM)
    - Campus Manager

* Cisco Wireless LAN Solution Engine (WLSE). Cisco Bug ID CSCsi10982.

* Cisco 2006 Wireless LAN Controllers (WLC). Cisco Bug ID CSCsi13743.

* Cisco Wireless Control System (WCS). Cisco Bug ID CSCsi13763.
- ----------------------------------------------------------------------

Our investigation into affected products is still on-going.  We will
make any necessary updates to the response we have posted to cisco.com at 
the following URL:

http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml

In some cases it is possible to eliminate the vulnerability by removing
or renaming the files PreSearch.html and PreSearch.class (if they exist
- - they can be found using the operating system's file search feature.)
Please note that this workaround is not applicable to appliances and
other products where direct access to the file system is not available,
and that by removing or renaming these files it will no longer be
possible to search the product's online help contents.

We also have a companion document that provides additional information
on Cross-Site Scripting (XSS) attacks and the methods used to exploit
them. This document, a Cisco Applied Intelligence Response titled
"Understanding Cross-Site Scripting (XSS) Threat Vectors", is available
at:

http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xss.shtml

We are not aware of any malicious use of this vulnerability.

This issue was also reported to us by Erwin Paternotte from Fox-IT, just
five days apart. Erwin's report was on the Cisco CallManager. We would
like to thank you both for bringing this issue to our attention and for
working with us towards coordinated disclosure of the issue.

Cheers,

- -- 

Eloy Paris
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF+YvuagjTfAtNY9gRAkV4AKCN9wPgg4aODT0u+gZAz+SQw02xfACeNu9I
/rUXLAWxJliZKsFLtdArelo=
=pTwJ
-----END PGP SIGNATURE-----