The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco SMA

vulnerability bulletin CVE-2015-0732

Cisco ESA, SMA, WSA: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco ESA, SMA ou WSA, in order to run JavaScript code in the context of the web site.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, Cisco WSA.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/07/2015.
Identifiers: 40172, CSCut71981, CSCuu37420, CSCuu37430, CSCuv50167, CVE-2015-0732, VIGILANCE-VUL-17513.

Description of the vulnerability

The Cisco ESA, SMA or WSA product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco ESA, SMA ou WSA, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-4288

Cisco ESA, SMA, WSA: Man-in-the-Middle of LDAP

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle between Cisco ESA/SMA/WSA and a LDAP server, in order to read or alter directory data.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, Cisco WSA.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: intranet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 27/07/2015.
Identifiers: 40137, CSCuo29561, CSCuv40466, CSCuv40470, CVE-2015-4246-ERROR, CVE-2015-4288, VIGILANCE-VUL-17502.

Description of the vulnerability

The following products can connect to LDAP through a SSL/TLS session:
 - Cisco Web Security Appliance
 - Cisco Email Security Appliance
 - Cisco Content Security Management Appliance

However, the X.509 certificate of the SSL/TLS session is not checked.

An attacker can therefore act as a Man-in-the-Middle between Cisco ESA/SMA/WSA and a LDAP server, in order to read or alter directory data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-4216 CVE-2015-4217

Cisco virtual Security Appliance: shared SSH private keys

Synthesis of the vulnerability

An attacker can use well known SSH private keys for Cisco Security Appliance, in order to get administration privileges.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, Cisco WSA.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 26/06/2015.
Identifiers: 39461, 39462, CERTFR-2015-AVI-266, cisco-sa-20150625-ironport, CVE-2015-4216, CVE-2015-4217, VIGILANCE-VUL-17245.

Description of the vulnerability

The products Cisco virtual Web/Email/Content Security Appliance use the SSH protocol.

Private keys for the virtual variants of these products are included in the system image, so all instances of the products share the same private key. So, any attacker that had access to these products can use the private key of the SSH server to decrypt or change the traffic of legitimate connections, and use the private key of the "root" account to access to all systems with administrator privileges.

An attacker can therefore use well known SSH private keys for Cisco Security Appliance, in order to get administration privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-8176

OpenSSL: use after free via DTLS

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, HP Switch, AIX, IRAD, McAfee Email and Web Security, McAfee Email Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, OpenSSL, openSUSE, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, stunnel, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 12/06/2015.
Identifiers: 1961569, 9010038, 9010039, BSA-2015-006, c05184351, CERTFR-2015-AVI-257, cisco-sa-20150612-openssl, CVE-2014-8176, DSA-3287-1, HPSBHF03613, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1277-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA98, SB10122, SOL16920, USN-2639-1, VIGILANCE-VUL-17118.

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

However, if data are received between the ChangeCipherSpec and Finished messages, OpenSSL frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-1788 CVE-2015-1789 CVE-2015-1790

OpenSSL: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, DB2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/06/2015.
Identifiers: 1450666, 1610582, 1647054, 1961111, 1961569, 1964113, 1964766, 1966038, 1970103, 1972125, 9010038, 9010039, BSA-2015-006, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-257, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2017, CTX216642, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, RHSA-2015:1197-01, SA40002, SA98, SB10122, SOL16898, SOL16913, SOL16915, SOL16938, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TNS-2015-07, TSB16728, USN-2639-1, VIGILANCE-VUL-17117.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can generate an infinite loop via ECParameters, in order to trigger a denial of service. [severity:2/4; CVE-2015-1788]

An attacker can force a read at an invalid address in X509_cmp_time(), in order to trigger a denial of service. [severity:2/4; CVE-2015-1789]

An attacker can force a NULL pointer to be dereferenced via EnvelopedContent, in order to trigger a denial of service. [severity:2/4; CVE-2015-1790]

An attacker can generate an infinite loop via CMS signedData, in order to trigger a denial of service. [severity:2/4; CVE-2015-1792]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-1791

OpenSSL: use after free via NewSessionTicket

Synthesis of the vulnerability

An attacker, who own a malicious TLS server, can send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet client.
Creation date: 04/06/2015.
Identifiers: 1961569, 1964113, 1970103, 2003480, 2003620, 2003673, 9010038, 9010039, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-1791, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA40002, SA98, SB10122, SOL16914, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1182-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TSB16728, USN-2639-1, VIGILANCE-VUL-17062.

Description of the vulnerability

The TLS protocol uses the NewSessionTicket message to obtain a new session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c file implements NewSessionTicket in an OpenSSL client. However, if the client is multi-threaded, this function frees a memory area before reusing it.

An attacker, who own a malicious TLS server, can therefore send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-6780

Cisco ESA, SMA, WSA: Cross Site Scripting of uploader.swf

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in uploader.swf of Cisco ESA, SMA, WSA, in order to execute JavaScript code in the context of the web site.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/02/2015.
Identifiers: CSCur44409, CSCur89624, CSCur89626, CVE-2013-6780, VIGILANCE-VUL-16272.

Description of the vulnerability

The Cisco ESA, SMA, WSA product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in uploader.swf of Cisco ESA, SMA, WSA, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-0624

Cisco ESA, SMA, WSA: HTTP redirect

Synthesis of the vulnerability

An attacker can deceive the user of Cisco ESA, SMA, or WSA, in order to redirect him to a malicious site.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 23/02/2015.
Identifiers: CSCur44412, CSCur44415, CSCur89630, CSCur89633, CSCur89636, CSCur89639, CVE-2015-0624, VIGILANCE-VUL-16246.

Description of the vulnerability

The Cisco Email Security Appliance, Cisco Content Security Management Appliance and Cisco Web Security Appliance products offers a web service.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of Cisco ESA, SMA, or WSA, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 16053

Cisco Ironport: privilege escalation via Service Account

Synthesis of the vulnerability

A local privileged attacker can connect to the Service Account of Cisco Ironport, in order to escalate his privileges.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: privileged shell.
Creation date: 26/01/2015.
Identifiers: VIGILANCE-VUL-16053.

Description of the vulnerability

The Cisco Ironport product offers a remote maintenance service associated to the "service" user.

An authenticated user with "admin" privileges can enable the "service" account. However, he can then connect via SSH to the "service" account, and obtain a full root shell.

A local privileged attacker can therefore connect to the Service Account of Cisco Ironport, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-0577

Cisco AsyncOS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco AsyncOS, in order to execute JavaScript code in the context of the web site.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 14/01/2015.
Identifiers: CSCup08113, CSCus22925, CVE-2015-0577, VIGILANCE-VUL-15963.

Description of the vulnerability

The Cisco AsyncOS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco AsyncOS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Cisco SMA: