Cisco Online Help in a Slew of Products Could Open Systems to Attack
Cisco's online help system could allow cross-site scripting and a subsequent system takeover due to a vulnerability in several products, the company reported on March 15.
The XSS (cross-site scripting) flaw would allow an attacker to execute arbitrary scripting code if he or she were successful in luring a user to click on a specially crafted URL.
The flaw is found in the content search feature of Cisco's online help system, which is embedded in many products. The help system enables users to search for specific keywords in the help contents and is implemented through an HTML form and scripting code.
The vulnerability is that search code in the file PreSearch.html (or in the file PreSearch.class, depending of the product) fails to properly sanitize user input.
When a search keyword is entered that includes scripting code enclosed by tags, the vulnerability is triggered. The help system sanitizes the initial text in some cases but fails to sanitize the text that follows the tagged text, meaning that the subsequent text can also trigger the vulnerability.
All versions of these products are affected:
Cisco Secure Access Control Server (ACS) for Windows version 4.1 and Cisco Secure ACS Solution Engine version 4.1. Cisco Bug ID CSCsh91761 (registered customers only).
Cisco VPN Client. Cisco Bug ID CSCsh52300 (registered customers only).
Cisco Unified Personal Communicator. Cisco Bug ID CSCsh91884 (registered customers only).
Cisco MeetingPlace and Cisco Unified MeetingPlace, end-user and Admin help systems.
Cisco Bug ID CSCsi12435 (registered customers only).
Cisco Unified MeetingPlace Express, end-user and Admin help systems. Cisco Bug ID CSCsh91901 (registered customers only).
Cisco CallManager. Cisco Bug ID CSCsi10405 (registered customers only).
Cisco IP Communicator. Cisco Bug ID CSCsh91953 (registered customers only).
Cisco Unified Video Advantage (formerly Cisco VT Advantage). Cisco Bug ID CSCsh93070 (registered customers only).
Cisco Unified Videoconferencing 3545 System, Cisco Unified Videoconferencing 3540 Series Videoconferencing System, Cisco Unified Videoconferencing 3515 MCU, Cisco Unified Videoconferencing 3527 PRI Gateway, Cisco Unified Videoconferencing 3526 PRI Videoconferencing Gateway, and Cisco Unified Videoconferencing Manager. Cisco Bug ID CSCsh93854 (registered customers only).
Cisco WAN Manager (CWM). Cisco Bug ID CSCek71039 (registered customers only).
Cisco Security Device Manager. Cisco Bug ID CSCsh95009 (registered customers only).
Cisco Network Analysis Module (NAM) for Catalyst 6500 series switches and Cisco 7600 series routers, and for modular IOS routers. Cisco Bug ID CSCsi10818 (registered customers only).
CiscoWorks and all products that integrate with CiscoWorks. Cisco Bug ID CSCsi10674 (registered customers only).
Affected CiscoWorks-related products include:
Management Center for IPS Sensors
CiscoWorks LAN Management Solution
Router Management Essentials
Device Fault Manager
Internetwork Performance Monitor (IPM)
Cisco Wireless LAN Solution Engine (WLSE). Cisco Bug ID CSCsi10982 (registered customers only).
Cisco 2006 Wireless LAN Controllers (WLC). Cisco Bug ID CSCsi13743 (registered customers only).
Cisco Wireless Control System (WCS). Cisco Bug ID CSCsi13763 (registered customers only).
Cisco says that in some cases the vulnerability can be corrected if you remove or rename the files PreSearch.html and PreSearch.class. You can determine if those files exist by using the operating system's file search feature. Cisco says this workaround doesn't apply to appliances and other products where direct access to the file system is not available, and that by removing or renaming these files it will no longer be possible to search the product's online help contents.
The XSS vulnerability was reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt.
For Cisco's response and for more information on addressing flaws, click here.