BOSTON, MA – Feb. 1, 2010 - Core Security Technologies, provider of the CORE IMPACT family of comprehensive enterprise  security testing solutions, today issued an advisory disclosing a vulnerability that could affect large numbers of organizations using Cisco's Secure Desktop security package and leave users of the product open to potential Cross-Site Scripting (XSS) attacks.
A security consultant working in CoreLabs, the research arm of Core Security Technologies, found that affected versions of Cisco Secure Desktop mishandle some browser requests therein making end users vulnerable to targeted online attacks that seek to exploit the XSS vulnerability that is created by the malfunction. Cross-Site scripting threats can be used to do everything from stealing IT systems log-in credentials to tricking people into visiting fraudulent phishing and malware-distribution sites.
Cisco Secure Desktop is marketed as a multifunctional component of the Cisco SSL VPN appliance solution, with onboard capabilities for host scan checks, desktop encryption, cache cleaning, and both keystroke logger and host emulation detection.
Cisco issued an update to Secure Desktop that addresses the vulnerability (CSCsw15646) on Feb. 1, 2010. The company also released an updated version of the product that does not include the reported XSS flaw.
CoreLabs researcher Matias Pablo Brutti, a consultant with Core's Security Consulting Services team, is credited with discovering the Cisco Secure Desktop vulnerability.
"Cross-site scripting remains one of the most prevalent and dangerous attack vectors in use over the Internet today, exposing organizations and end users to an extremely wide range of potential threats from infiltration and information theft to malware infection," said Ivan Arce, CTO of Core Security Technologies. "It's also important to note that it is not unusual to find such exploitable vulnerabilities in defensive security products or features that are specifically meant to prevent the attacks that result from these issues. This highlights the need to consistently test the resiliency of many different forms of IT systems and applications including those designed to work as security controls to identify and prioritize risks accurately."
Vulnerability Specifics
The CISCO Secure Desktop Web application does not sufficiently verify if a well-formed request was provided by a user who submits a POST request, resulting in a remotely exploitable Cross-Site Scripting (XSS) vulnerability.
In this instance, the content of the POST field is not encoded at the time of being used in HTML output, therefore allowing an attacker who controls Web content to insert nefarious JavaScript code. Furthermore, an attacker could possibly inject JavaScript code into the start.html page because the content of the previously mentioned POST request is used as input for an 'eval' function, allowing an attacker to arbitrarily specify JavaScript code to be executed in the context of the 'eval' function. (continued...)
|
Social Media and the Customer Experience