_____ .___ _________ / _ \ | |/ _____/ / /_\ \| |\_____ \ / | \ |/ \ \____|__ /___/_______ / \/ \/ Corporation CISCO Systems Inc. Security Report ============================================================ Published Report: 19/02/2014 Credits: Advanced Information Security Corporation, USA Severity: High/Critical (OWASP TOP 10) Type: Web Application / Cross-Site Scripting Attack. Author: Nicholas Lemonias. (Information Security Expert) Vendor Overview =========================== Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, that designs, manufactures, and sells networking equipment. The stock was added to the Dow Jones Industrial Average on June 8, 2009, and is also included in the S&P 500 Index, the Russell 1000 Index, NASDAQ-100 Index and the Russell 1000 Growth Stock Index. Cisco Systems was founded in December 1984 by two members of Stanford University computer support staff: Leonard Bosack who was in charge of the computer science department's computers, and Sandy Lerner, who managed the Graduate School of Business' computers. Coordinated Disclosure Timeline ================================================== [-] 12th of August 2013 - Contacted Vendor regarding the security realisation. [+] 10th of September, 2013 - Vendor Acknowledged the problem. [+] 11th of September, 2013 - Vendor issued a fix, and thanked us for our efforts and responsible disclosure. Description of the security realisation ========================================= CISCO's Visitors, users and products entrust the vendor's website by default. The downloads directory in the public-facing online environment is therefore, vulnerable to a web application type / cross-site scripting vulnerability. A page in the scope of software release updates is therefore vulnerable to a cross-site scripting attack. The input variable 'release', derived as part of the cisco software downloads page does not filter metacharacters from user-input. This problem results in the reproduction and execution of third-party untrusted heterogeneous code. The user and product confidentiality, integrity and availability of information are impacted by this issue as outlined by security standards and best security practise (ISO 27001). Proof of Concept (PoC 1) / Affected Services ============================================== http://www.cisco.com/download/release.html?catid=268438162&mdfid=281940730&os=Windows&release= <script>alert(1);</script>&relind=AVAILABLE&rellifecycle=&reltype=latest&softwareid=282364316 Affected directory/script: /download/release.html Injected Code to path fragment: &release=<script>alert(1);</script>&relind=AVAILABLE&rellifecycle=&reltype=lastest&softwareid=282364316 Recommendations provided for Quality of Service =============================================== A. The recommendations that have been made to CISCO Systems Inc. were in good faith, and in support of quality of service and best security practises. The technical recommendations made are therefore, to consider encrypting the view state of the application. Furthermore to implement a stronger Cross-Site Scripting protection. Apparently XSS filtering is not properly applied, and metacharacter filtering allows data input over the HTTP protocol, and the ability to inject third-party heterogeneous code, which is untrusted, either in: Java-Script, Active-X or Visual Basic Script. Please note that malicious adversaries could take advantage of such issues - as we have seen in notable cases of malware and virus propagation cases. B. Our consultation to CISCO Systems Inc was therefore for an immediate risk assessment and thus to immediate review upper-level security policies in accord to ISO 27001 and ISO 27002. This was followed kindly by the team. We also consulted for a full review of the ISMS policy scope, and revisiting of the vulnerable SDLC application, and other subsidiary pages. Cross Site Scripting attacks are present when a website allows the injection of malicious data from a malicious user. The information is often gathered in the form of a hyperlink. The hyperlink could be disseminated either through email, social networking websites, forums or other online sources. A malicious adversary could take advantage of this vulnerability, for the mass exploitation of unsuspected users, through malware and virus propagation. Malicious user can use defects in the encoding methods, so that the payload is obfuscated. Appendices ============================ A. Suggested the filtering of metacharacters. B. Suggested the utilisation User-server encoding of < and > to &lt; and &gt; in application output. C. An XSS attack could embrace mass user and product attacks, phishing; theft of private and confidential information such as credit cards, passwords, and stored accounts. D. Suggested Filtering < and > and using appropriate encoding methods. We consulted for ( and ) to be changed, filtered and encoded to &#40; and &#41;, Example: # and & converted to &#35 (#) and &#38 (&). References ============================ OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011 OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013. Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/ff649310.aspx. ** This vulnerability report is posted for the wider benefit of the security community, as is and without any warranties, including that of the warranty of merchantability and capability fit for a particular purpose. The information is posted under the FOI as per best security practises. *Copyright Advanced Information Security Corp &#169;, 2014*