Cisco ASA Adaptive Security Appliance Software Clientless SSL VPN Rot13-Encoded Cross-Site Scripting Vulnerability

Cisco ASA Adaptive Security Appliance Software versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that have been configured to accept Clientless SSL VPN connections contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script or HTML code in a user’s browser session. Versions 7.x are not affected.

The vulnerability is due to insufficient restrictions on Rot13-encoded URL parameters that are utilized by the SSL VPN feature of Cisco ASA Software when clients browse web pages by means of the VPN web portal. An attacker who could convince a user to visit a malicious page while logged into the secure portal could exploit this vulnerability to execute arbitrary script or HTML code in the security context of the affected site.

Cisco has confirmed this vulnerability and released updated software.

The vulnerability is due to a failure to properly protect the domain object model that is utilized by the Clientless SSL VPN against unauthorized modification. The vulnerability is likely to be exploited in instances where administrators allow users to enter arbitrary URLs that could be visited by means of the secure web portal. Systems that allow users to visit only the URLs that have been defined by administrators are less likely to be affected. In the latter case, an attacker would need to take control of a website that resides at one of the predefined URLs or perform URL spoofing or hijacking to conduct an attack.

Exploit code that demonstrates the cross-site scripting vulnerability is publicly available.