Core Security Technologies Discovers XSS Vulnerability in CISCO Security Tools

CORE SECURITY TECHNOLOGIES DISCOVERS XSS VULNERABILITY IN Cisco Security tools

Cross-Site Scripting Flaw in Cisco Secure Desktop Package Could Leave Users

Open To Targeted Online Attacks

BOSTON, MA – Feb. 1, 2010 - Core Security Technologies, provider of the CORE IMPACT family of comprehensive enterprise security testing solutions, today issued an advisory disclosing a vulnerability that could affect large numbers of organizations using Cisco’s Secure Desktop security package and leave users of the product open to potential Cross-Site Scripting (XSS) attacks.



A Core Security Consultant working in CoreLabs, the research arm of Core Security Technologies, found that affected versions of Cisco Secure Desktop mishandle some browser requests therein making end users vulnerable to targeted online attacks that seek to exploit the XSS vulnerability that is created by the malfunction. Cross-Site scripting threats can be used to do everything from stealing IT systems log-in credentials to tricking people into visiting fraudulent phishing and malware-distribution sites.



Cisco Secure Desktop is marketed as a multifunctional component of the Cisco SSL VPN appliance solution, with onboard capabilities for host scan checks, desktop encryption, cache cleaning, and both keystroke logger and host emulation detection.

Cisco issued an update to Secure Desktop that addresses the vulnerability (CSCsw15646) on Feb. 1, 2010. The company also released an updated version of the product that does not include the reported XSS flaw.

CoreLabs researcher Matias Pablo Brutti, a consultant with Core’s Security Consulting Services team, is credited with discovering the Cisco Secure Desktop vulnerability.

“Cross-site scripting remains one of the most prevalent and dangerous attack vectors in use over the Internet today, exposing organizations and end users to an extremely wide range of potential threats from infiltration and information theft to malware infection,” said Ivan Arce, CTO of Core Security Technologies. “It’s also important to note that it is not unusual to find such exploitable vulnerabilities in defensive security products or features that are specifically meant to prevent the attacks that result from these issues. This highlights the need to consistently test the resiliency of many different forms of IT systems and applications including those designed to work as security controls to identify and prioritize risks accurately.”



Vulnerability Specifics

The CISCO Secure Desktop Web application does not sufficiently verify if a well-formed request was provided by a user who submits a POST request, resulting in a remotely exploitable Cross-Site Scripting (XSS) vulnerability.



In this instance, the content of the POST field is not encoded at the time of being used in HTML output, therefore allowing an attacker who controls Web content to insert nefarious JavaScript code. Furthermore, an attacker could possible inject JavaScript code into the start.html page because the content of the previously mentioned POST request is used as input for an 'eval' function, allowing an attacker arbitrarily specify Javascript code to be executed in the context of the 'eval' function.



In order for the vulnerability to be exploited, the Secure Desktop application on the affected CISCO Appliances must be turned on.



The vulnerability specifically affects CISCO Secure Desktop version 3.4.2048, and may also affect other older versions of the product. It does not affect CISCO Secure Desktop version 3.5.841.



Cross-site scripting (XSS) vulnerabilities allow an attacker to execute arbitrary scripting code in the context of a user’s browser (in the vulnerable application's domain). For example, an attacker could exploit an XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or create fraudulent Web pages that request user information (i.e.: credentials) to gain access to their system. This vulnerability occurs when any user-supplied data is displayed without encoding.



Cisco’s security update addressing the Secure Desktop XSS vulnerability is

available at:

http://tools.cisco.com/security/center/viewAlert.x?alertId=19843

For more information on this vulnerability and the systems affected, please visit:

http://www.coresecurity.com/content/cisco-secure-desktop-xss



About CoreLabs


CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at:  http://www.coresecurity.com/corelabs/.



About Core Security Technologies

Core Security Technologies is the leader in commercial-grade penetration testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, Mass. and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.



Contacts:

Tim Whitman or Lauren O’Leary

Schwartz Communications

781 684-0770

coresecurity@schwartz-pr.com

Mon, February 01