Vulnerabilities > CVE-2013-3384 - Code Injection vulnerability in Cisco Ironport Asyncos
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550; Email Security Appliance devices before 7.1.5-104, 7.3 before 7.3.2-026, 7.5 before 7.5.2-203, and 7.6 before 7.6.3-019; and Content Security Management Appliance devices before 7.2.2-110, 7.7 before 7.7.0-213, and 7.8 and 7.9 before 7.9.1-102 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL, aka Bug IDs CSCzv85726, CSCzv44633, and CSCzv24579.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 9 | |
| Hardware | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family CISCO NASL id CISCO-SA-20130626-SMA.NASL description According to its self-reported version, the version of Cisco Content Security Management Appliance running on the remote host has the following vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386) last seen 2020-06-01 modified 2020-06-02 plugin id 69079 published 2013-07-26 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69079 title Multiple Vulnerabilities in Cisco Content Security Management Appliance (cisco-sa-20130626-sma) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69079); script_version("1.5"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_cve_id("CVE-2013-3384", "CVE-2013-3385", "CVE-2013-3386"); script_bugtraq_id(60805, 60806, 60807); script_xref(name:"CISCO-BUG-ID", value:"CSCzv24579"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv78669"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv81712"); script_xref(name:"CISCO-SA", value:"cisco-sa-20130626-sma"); script_name(english:"Multiple Vulnerabilities in Cisco Content Security Management Appliance (cisco-sa-20130626-sma)"); script_summary(english:"Checks SMA version"); script_set_attribute(attribute:"synopsis", value:"The remote security appliance is missing a vendor-supplied patch."); script_set_attribute( attribute:"description", value: "According to its self-reported version, the version of Cisco Content Security Management Appliance running on the remote host has the following vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386)" ); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-sma script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?721fa320"); script_set_attribute( attribute:"solution", value: "Apply the relevant update referenced in Cisco Security Advisory cisco-sa-20130626-sma." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:content_security_management_appliance"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("cisco_sma_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion", "Host/AsyncOS/Cisco Content Security Management Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/Version'); if (ver =~ "^[0-6]\." || ver =~ "^7\.[012]\.") # 7.2 and earlier display_fix = '7.9.1-102'; else if (ver =~ "^7\.7\.") display_fix = '7.9.1-102'; else if (ver =~ "^7\.8\.") display_fix = '7.9.1-102'; else if (ver =~ "^7\.9\.") display_fix = '7.9.1-102'; else if (ver =~ "^8\.0\.") display_fix = '8.0.0-404'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver); if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0);NASL family CISCO NASL id CISCO-SA-20130626-ESA.NASL description According to its self-reported version, the Cisco AsyncOS running on the remote Cisco Email Security (ESA) appliance is affected by multiple vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386) last seen 2020-06-01 modified 2020-06-02 plugin id 69076 published 2013-07-26 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69076 title Multiple Vulnerabilities in Cisco Email Security Appliance (cisco-sa-20130626-esa) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69076); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_cve_id("CVE-2013-3384", "CVE-2013-3385", "CVE-2013-3386"); script_bugtraq_id(60805, 60806, 60807); script_xref(name:"CISCO-BUG-ID", value:"CSCzv25573"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv44633"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv63329"); script_xref(name:"CISCO-SA", value:"cisco-sa-20130626-esa"); script_name(english:"Multiple Vulnerabilities in Cisco Email Security Appliance (cisco-sa-20130626-esa)"); script_summary(english:"Checks ESA version"); script_set_attribute(attribute:"synopsis", value: "The remote security appliance is missing a vendor-supplied security patch."); script_set_attribute( attribute:"description", value: "According to its self-reported version, the Cisco AsyncOS running on the remote Cisco Email Security (ESA) appliance is affected by multiple vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386)" ); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e9e55d4e"); script_set_attribute( attribute:"solution", value: "Apply the relevant update referenced in Cisco Security Advisory cisco-sa-20130626-esa." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:email_security_appliance"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:email_security_appliance_firmware"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("cisco_esa_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Email Security Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/Version'); if (ver =~ "^[0-6]\." || ver =~ "^7\.[01]\.") # 7.1 and prior display_fix = '7.1.5-106'; else if (ver =~ "^7\.3\.") display_fix = '8.0.0-671'; else if (ver =~ "^7\.5\.") display_fix = '7.6.3-019'; else if (ver =~ "^7\.6\.") display_fix = '7.6.3-019'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver); if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0);NASL family CISCO NASL id CISCO-SA-20130626-WSA.NASL description According to its self-reported version, the version of Cisco Web Security Appliance running on the remote host has the following vulnerabilities : - Multiple unspecified vulnerabilities exist in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3383, CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) last seen 2020-06-01 modified 2020-06-02 plugin id 69082 published 2013-07-26 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69082 title Multiple Vulnerabilities in Cisco Web Security Appliance (cisco-sa-20130626-wsa) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69082); script_version("1.6"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_cve_id("CVE-2013-3383", "CVE-2013-3384", "CVE-2013-3385"); script_bugtraq_id(60804, 60805, 60807); script_xref(name:"CISCO-BUG-ID", value:"CSCzv58669"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv69294"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv85726"); script_xref(name:"CISCO-SA", value:"cisco-sa-20130626-wsa"); script_name(english:"Multiple Vulnerabilities in Cisco Web Security Appliance (cisco-sa-20130626-wsa)"); script_summary(english:"Checks WSA version"); script_set_attribute(attribute:"synopsis", value:"The remote security appliance is missing a vendor-supplied patch."); script_set_attribute( attribute:"description", value: "According to its self-reported version, the version of Cisco Web Security Appliance running on the remote host has the following vulnerabilities : - Multiple unspecified vulnerabilities exist in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3383, CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385)" ); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ce4facb"); script_set_attribute( attribute:"solution", value: "Apply the relevant update referenced in Cisco Security Advisory cisco-sa-20130626-wsa." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:web_security_appliance"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("cisco_wsa_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Web Security Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/Version'); if (ver =~ "^[0-6]\." || ver =~ "^7\.[01]\.") # 7.1 and prior display_fix = '7.1.3-033'; else if (ver =~ "^7\.5\.") display_fix = '7.5.0-838'; else if (ver =~ "^7\.7\.") display_fix = '7.7.0-602'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver); if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0);
Seebug
| bulletinFamily | exploit |
| description | CVE(CAN) ID: CVE-2013-3384 Cisco Web Security Appliance是安全的Web网关,在一个平台上集成了恶意软件防护、应用可视化控制、策略控制等。Cisco IronPort AsyncOS是电子邮件安全设备。 Cisco Web Security Appliance设备上的IronPort AsyncOS在Web框架的实现上,以及Content Security Management Appliance设备和Email Security Appliance设备存在安全漏洞,经过身份验证的远程用户通过IPv4发送的URL特制命令行,利用此漏洞可执行任意命令。 0 Cisco Web Security Appliance <= 7.7.0-550 Cisco Web Security Appliance <= 7.5.0-838 Cisco Web Security Appliance <= 7.1.3-013 Cisco Email Security Appliance <= 7.6.3-019 Cisco Email Security Appliance <= 7.5.2-203 Cisco Email Security Appliance <= 7.3.2-026 Cisco Email Security Appliance <= 7.1.5-104 Cisco Content Security Management Appliance <= 7.9.1-102 Cisco Content Security Management Appliance <= 7.7.0-213 Cisco Content Security Management Appliance <= 7.2.2-110 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20130626-wsa)以及相应补丁: cisco-sa-20130626-wsa:Multiple Vulnerabilities in Cisco Web Security Appliance 链接:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa |
| id | SSV:60868 |
| last seen | 2017-11-19 |
| modified | 2013-07-02 |
| published | 2013-07-02 |
| reporter | Root |
| title | Cisco Web Security Appliance Web框架任意命令执行漏洞(CVE-2013-3384) |
References
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-sma
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-sma
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa