vulnerability announce CVE-2009-1201 CVE-2009-1202 CVE-2009-1203 Cisco ASA: vulnerabilities of the Web VPN
Synthesis of the vulnerability

An attacker can use three vulnerabilities of the Web VPN of Cisco ASA in order to execute JavaScript code or to obtain authentication credential.

Severity: 2/4. Consequences: user access/rights, data reading. Provenance: document. Means of attack: no proof of concept, no attack. Ability of attacker: expert (4/4). Confidence: confirmed by the editor (5/5). Diffusion of the vulnerable configuration: high (3/3). Number of vulnerabilities in this bulletin: 3. Creation date: 24/06/2009.

Impacted products

• Cisco PIX/ASA Software versions

Description of the vulnerability

Three vulnerabilities were announced in Cisco ASA Web VPN, Clientless SSL VPN. An attacker can create an HTML page containing a function stored in the CSCO_WebVPN['process'] variable. The csco_wrap_js() JavaScript function then calls attacker's function, and its code runs in the context of the web proxy. [severity:2/4; 18373, BID-35476, CSCsy80694, CVE-2009-1201, >] The proxy changes urls using a ROT13 encoding. However, if a script changes the first byte, the returned page is not rewritten, and the JavaScript code it contains is thus executed in the context of the proxy. [severity:2/4; 18442, BID-35480, CSCsy80705, CVE-2009-1202, >] An HTML page can contain a link to a FTP of CIFS site requesting an authentication. When the victim clicks on this link, a dialog box appears. However, this window is similar to the proxy authentication window, which can deceive the victime and invite him to enter his proxy login and password. [severity:2/4; 18536, BID-35475, CSCsy80709, CVE-2009-1203, >]

Characteristics

Title: Cisco ASA: vulnerabilities of the Web VPN Identifiers: 18373, 18442, 18536, BID-35474, BID-35475, BID-35476, BID-35480, CSCsy80694, CSCsy80705, CSCsy80709, CVE-2009-1201, CVE-2009-1202, CVE-2009-1203, TWSL2009-002, VIGILANCE-VUL-8822. Url: https://vigilance.fr/tree/1/8822

Information sources

Publications and announces

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : CVE-2009-1201 An attacker can create an HTML page containing a function stored in the CSCO_WebVPN['process'] variable. The csco_wrap_js() JavaScript function then calls attacker's function, and its code runs in the context of the web proxy. Severity: 2/4. Identifiers: 18373, BID-35476, CSCsy80694, CVE-2009-1201. Publications and announces Source example: Cisco ASA Adaptive Security Appliance Clientless SSL VPN DOM Cross-Site Scripting Vulnerability

Vulnerability : CVE-2009-1202 The proxy changes urls using a ROT13 encoding. However, if a script changes the first byte, the returned page is not rewritten, and the JavaScript code it contains is thus executed in the context of the proxy. Severity: 2/4. Identifiers: 18442, BID-35480, CSCsy80705, CVE-2009-1202. Publications and announces Source example: Cisco ASA Adaptive Security Appliance Software Clientless SSL VPN Rot13-Encoded Cross-Site Scripting Vulnerability

Vulnerability : CVE-2009-1203 An HTML page can contain a link to a FTP of CIFS site requesting an authentication. When the victim clicks on this link, a dialog box appears. However, this window is similar to the proxy authentication window, which can deceive the victime and invite him to enter his proxy login and password. Severity: 2/4. Identifiers: 18536, BID-35475, CSCsy80709, CVE-2009-1203. Publications and announces Source example: Cisco ASA Adaptive Security Appliance Clientless SSL VPN CIFS and FTP Credential Theft Vulnerability