Cisco ASA Web-based Management Interface HREF cross site scripting

Summaryinfo

A vulnerability classified as problematic has been found in Cisco ASA. Affected is an unknown function of the component Web-based Management Interface. This manipulation of the argument HREF causes cross site scripting. This vulnerability is handled as CVE-2017-12265. The attack can be initiated remotely. There is not any exploit available.

Detailsinfo

A vulnerability has been found in Cisco ASA (Firewall Software) (version now known) and classified as problematic. Affected by this vulnerability is some unknown processing of the component Web-based Management Interface. The manipulation of the argument HREF with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. The summary by CVE is:

A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device, aka HREF XSS. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. The vulnerability exists in the Cisco Adaptive Security Appliance (ASA) Software when the WEBVPN feature is enabled. Cisco Bug IDs: CSCve91068.

The bug was discovered 10/04/2017. The weakness was released 10/05/2017 (Website). It is possible to read the advisory at securitytracker.com. This vulnerability is known as CVE-2017-12265 since 08/03/2017. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 01/15/2021). The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $5k-$25k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 316159 (Cisco Adaptive Security Appliance HREF Cross-Site Scripting Vulnerability (cisco-sa-20171004-asa1)).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 101170†). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Firewall Software

Vendor

• Cisco

Name

• ASA

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion