Severity: 2/4

Consequences: user access/rights, data reading

Provenance: document

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 3

Creation date: 24/06/2009

IMPACTED PRODUCTS

 Cisco PIX/ASA Software

DESCRIPTION OF THE VULNERABILITY

Three vulnerabilities were announced in Cisco ASA Web VPN, Clientless SSL VPN.

An attacker can create an HTML page containing a function stored in the CSCO_WebVPN[’process’] variable. The csco_wrap_js() JavaScript function then calls attacker’s function, and its code runs in the context of the web proxy. [grav:2/4; 18373, BID-35476, CSCsy80694, CVE-2009-1201]

The proxy changes urls using a ROT13 encoding. However, if a script changes the first byte, the returned page is not rewritten, and the JavaScript code it contains is thus executed in the context of the proxy. [grav:2/4; 18442, BID-35480, CSCsy80705, CVE-2009-1202]

An HTML page can contain a link to a FTP of CIFS site requesting an authentication. When the victim clicks on this link, a dialog box appears. However, this window is similar to the proxy authentication window, which can deceive the victime and invite him to enter his proxy login and password. [grav:2/4; 18536, BID-35475, CSCsy80709, CVE-2009-1203]

CHARACTERISTICS

Identifiers: 18373, 18442, 18536, BID-35474, BID-35475, BID-35476, BID-35480, CSCsy80694, CSCsy80705, CSCsy80709, CVE-2009-1201, CVE-2009-1202, CVE-2009-1203, TWSL2009-002, VIGILANCE-VUL-8822

http://vigilance.fr/vulnerability/Cisco-ASA-vulnerabilities-of-the-Web-VPN-8822