|
Home   Programs Emergency management Response CCIRC Analytical releases2 AV06-038: Cisco Guard Input Validation Flaw in Anti-Spoofing Feature Permits Cross-Site Scripting Attacks
Number: AV06-038
Date: 21 September 2006 PurposeThe purpose of this advisory is to bring attention to a vulnerability that has been reported in Cisco Guard. The Cisco Guard DDoS Mitigation Appliance is a distributed denial-of-service (DDoS) protection system. AssessmentA vulnerability in Cisco Guard exists that could allow a malicious remote user to conduct cross-site scripting attacks. Cross Site Scripting (XSS) is an attack where a user follows a link that contains an embedded script. The link often looks valid, and sends the user to a valid site. The recipient website does not contain the link that is sent and sends a meta-refresh back to the user without validating the data it is sent. When receiving the meta-refresh, the web browser interprets the script as an instruction from the website and the script is executed on the user's machine . In this case, when the anti-spoofing feature is enabled, all diverted HTTP traffic is inspected and then a meta-refresh is sent to the client containing the original request. If the original URL contains a script and a specific character sequence, the meta-refresh from the Guard will allow the client machine to execute the malicious script. Several conditions are required to be true in order for the malicious script to be processed: - The client user must follow a URL with a specifically formatted, embedded script to a site protected by the Guard.
- The Guard must be running active basic protection, going through basic/redirect protection.
- The specially crafted http request must be diverted through the Guard, and processed by the Guard.
(Only if all of the above conditions are met will the client receive the meta-refresh and process the embedded script.)
Successful exploitation of the vulnerability may result in malicious executable code being run by an individual user using a web browser. The following products are affected: - Cisco Guard Appliance (Software Version 3.X)
- Cisco Guard Blade (Software Version 4.X)
- Cisco Guard Appliance [Software Version 5.0(3)]
- Cisco Guard Appliance [Software Version 5.1(5)]
Cisco has assigned bug ID CSCsf01438 to this vulnerability. Suggested actionPSEPC recommends that administrators test and upgrade to the fixed version (5.1(6)) of the Cisco Anomaly Guard code that has been issued by Cisco. For more information and instructions, please refer to: http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml Note to readersCanadian Cyber Incident Response Centre (CCIRC) collects information related to cyber threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyze threats and to issue alerts, advisories and other information products. To report threats or incidents, please contact the Government Operations Centre (GOC) at 613-991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail. Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The Royal Canadian Mounted Police (RCMP) National Operations Centre (N.O.C.) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The N.O.C. can be reached at 613-993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at 613-993-9620. For urgent matters or to report any incidents, please contact the Government Operations Centre at: Phone: 613-991-7000
Fax: 613-996-0995
Secure Fax: 613-991-7094
Email: goc-cog@psepc-sppcc.gc.ca For general information on critical infrastructure protection and emergency preparedness, please contact PSEPC's Public Affairs division at: Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@psepc-sppcc.gc.ca
|
Printable version
Send this page