CVE-2017-12303 in Web Security Appliance
Summary
by MITRE
A vulnerability in the Advanced Malware Protection (AMP) file filtering feature of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured AMP file filtering rule. The file types affected are zipped or archived file types. The vulnerability is due to incorrect and different file hash values when AMP scans the file. An attacker could exploit this vulnerability by sending a crafted email file attachment through the targeted device. An exploit could allow the attacker to bypass a configured AMP file filter. Cisco Bug IDs: CSCvf52943.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/24/2021
The vulnerability identified as CVE-2017-12303 resides within the Advanced Malware Protection file filtering mechanism of Cisco AsyncOS Software operating on Cisco Web Security Appliances. This security flaw represents a critical weakness in the device's ability to properly scan and filter malicious content, specifically targeting zipped or archived file types that are commonly used in phishing attacks and malware distribution campaigns. The vulnerability stems from a fundamental flaw in how the system processes file hashes during the scanning process, creating a scenario where legitimate security controls can be circumvented without any authentication requirements.
The technical root cause of this vulnerability lies in the incorrect handling of file hash values when the Advanced Malware Protection feature processes compressed archives. When the system encounters a zipped or archived file, it generates different hash values than what are expected during the scanning process, leading to a mismatch that allows malicious files to bypass the configured filtering rules. This hash mismatch occurs because the AMP system does not properly account for the way compressed files are structured and how their internal components should be hashed for comparison against known malware signatures. The vulnerability specifically affects the file type processing logic within the security appliance's scanning engine, creating a gap in the device's defensive posture.
The operational impact of this vulnerability is severe and far-reaching for organizations relying on Cisco Web Security Appliances for email security. An unauthenticated remote attacker can exploit this weakness by crafting a malicious email attachment that appears legitimate but contains compressed malware within its archive structure. This allows the attacker to bypass the configured AMP file filtering rules without requiring any credentials or privileged access to the system. The attack vector is particularly dangerous because it leverages the very feature designed to protect against malware, turning it into a potential entry point for malicious content. Organizations may experience unauthorized access to their networks, data breaches, and potential system compromise through this bypass mechanism.
This vulnerability aligns with CWE-20, which describes improper input validation, and relates to the ATT&CK technique T1190 for Exploit Public-Facing Application. The flaw demonstrates a classic case of insufficient validation of compressed file content within security scanning processes. Organizations should implement immediate mitigations including applying the relevant Cisco security patches, reviewing and updating AMP file filtering rules, and implementing additional monitoring for suspicious email traffic patterns. Network segmentation and additional email security layers should be considered as temporary compensating controls while permanent fixes are deployed. The vulnerability also highlights the importance of proper hash validation mechanisms in security appliances and the need for comprehensive testing of file processing logic under various compression scenarios.