Cisco IronPort Web Security Appliance basicConstraints Parameter Processing Man-in-the-Middle Vulnerability

Cisco IronPort Web Security Appliance (WSA) software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct man-in-the-middle attacks against a targeted system.

The vulnerability is in the insecure SSL implementation of the affected operating system due to improper handling of SSL and Transport Layer Security (TLS) security certificates. The affected implementation could insecurely validate the certificate authority (CA) hierarchy and could trust illegitimate certificates.

An unauthenticated, remote attacker could exploit the vulnerability by using a legitimate certificate to generate a security certificate for a third-party domain. The attacker would then attempt to convince an affected user to visit the domain and establish an SSL connection with the domain by using the certificate provided. A successful attack could allow the attacker to conduct a man-in-the-middle attack against the affected user.

Cisco IronPort has confirmed the vulnerability; however, updates are not yet available. A workaround exists to mitigate the impact of this vulnerability.

A successful attack would require the attacker to have access to a network that is adjacent to the targeted user’s system. This requirement would limit the likelihood of an attack.

A workaround exists that mitigates this vulnerability. The WSA can be configured to drop invalid certificates via the administrative GUI under Security Services -> HTTPS Proxy. The section “Invalid Certificate Handling” may be used to configure the handling of invalid certificates, enabling the administrator to configure the WSA to drop invalid certificates.