Cisco ASA Adaptive Security Appliance Clientless SSL VPN DOM Cross-Site Scripting Vulnerability

Cisco ASA Adaptive Security Appliance Software versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL VPN connections are affected by a cross-site scripting vulnerability. Versions 7.x are not affected.

The vulnerability is due to insufficient restrictions on access to the JavaScript-based Document Object Model (DOM) that the SSL VPN feature of Cisco ASA uses when clients browse web pages using the VPN web portal. If an unauthenticated, remote attacker can convince a user to visit a malicious page while the user is logged in to the secure portal, the attacker could execute arbitrary script or HTML code in the security context of the affected site.

Cisco has confirmed this vulnerability and released updated software.

The vulnerability is due to a failure to properly protect the DOM of the Clientless SSL VPN from unauthorized modification. The vulnerability is likely to be exploited in cases in which administrators allow users to enter arbitrary URLs that will be visited using the secure web portal. Systems that allow users to visit only URLs that have been defined by administrators are less likely to be affected. When administrators define the URLs, an attacker would need to take control of a website that resides at one of these URLs, or perform some sort of URL spoofing or hijacking to perform an attack.

Exploit code that demonstrates the cross-site scripting vulnerability is publicly available.