Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC StormCast for Friday, March 21st 2014 http://isc.sans.edu/podcastdetail.html?id=3901

Cisco AsyncOS Patch

Published: 2014-03-21
Last Updated: 2014-03-21 00:16:12 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Cisco released a patch for AsyncOS, the operating system used in it's E-Mail Security Appliance (ESA) and Security Management Appliance (SMA).

The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed.

This sounds like an OS command injection vulnerability. The parameters (assumed to be IP addresses) are likely passed as arguments to a firewall script, but if the address includes specific characters (usually ; or & ?) , additional commands can be executed.

Time to patch, but given that the attacker has to be authenticated, makes this a less severe vulnerability then other arbitrary code execution vulnerabilities.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cisco patch
0 comment(s)
Diary Archives