14 DAY TRIAL // Cisco AsyncOS, the operating system powering multiple Cisco security appliances, has been patched against a reflected cross-site scripting vulnerability that allowed an unauthenticated attacker to load an arbitrary script in the context of the user’s browser.
The affected products are Cisco Email Security Appliance 8.0, Cisco Web Security Appliance 8.0 and Content Security Management Appliance 8.3. Earlier versions are also vulnerable.
According to the Cisco advisory, “the vulnerability is due to insufficient input validation of a parameter,” in this case date_range, and the exploit could be carried out through a malformed URL the user has to access.
The patch released by the company eliminates the security flaw available in the reports overview page of the management interface and should be applied as soon as possible. In the case of older products, upgrading to the latest version is recommended.
However, if this cannot be done, the CERT/CC (Computer Emergency Response Team Coordination Center) provides the following workaround:
“As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location.”