Vulnerabilities > CVE-2013-3384 - Code Injection vulnerability in Cisco Ironport Asyncos

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

cisco

CWE-94

critical

nessus

NVD

Published: 2013-06-27

Updated: 2018-10-30

Summary

The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550; Email Security Appliance devices before 7.1.5-104, 7.3 before 7.3.2-026, 7.5 before 7.5.2-203, and 7.6 before 7.6.3-019; and Content Security Management Appliance devices before 7.2.2-110, 7.7 before 7.7.0-213, and 7.8 and 7.9 before 7.9.1-102 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL, aka Bug IDs CSCzv85726, CSCzv44633, and CSCzv24579.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco Ironport Asyncos * Cisco Ironport Asyncos 7.2 Cisco Ironport Asyncos 7.3 Cisco Ironport Asyncos 7.5 Cisco Ironport Asyncos 7.6 Cisco Ironport Asyncos 7.7 Cisco Ironport Asyncos 7.8 Cisco Ironport Asyncos 7.9 Cisco Email Security Appliance Firmware -	9
Hardware	Cisco Cisco Content Security Management - Cisco WEB Security Appliance -	2

Common Weakness Enumeration (CWE)

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20130626-SMA.NASL
description	According to its self-reported version, the version of Cisco Content Security Management Appliance running on the remote host has the following vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386)
last seen	2020-06-01
modified	2020-06-02
plugin id	69079
published	2013-07-26
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/69079
title	Multiple Vulnerabilities in Cisco Content Security Management Appliance (cisco-sa-20130626-sma)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69079); script_version("1.5"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_cve_id("CVE-2013-3384", "CVE-2013-3385", "CVE-2013-3386"); script_bugtraq_id(60805, 60806, 60807); script_xref(name:"CISCO-BUG-ID", value:"CSCzv24579"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv78669"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv81712"); script_xref(name:"CISCO-SA", value:"cisco-sa-20130626-sma"); script_name(english:"Multiple Vulnerabilities in Cisco Content Security Management Appliance (cisco-sa-20130626-sma)"); script_summary(english:"Checks SMA version"); script_set_attribute(attribute:"synopsis", value:"The remote security appliance is missing a vendor-supplied patch."); script_set_attribute( attribute:"description", value: "According to its self-reported version, the version of Cisco Content Security Management Appliance running on the remote host has the following vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386)" ); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-sma script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?721fa320"); script_set_attribute( attribute:"solution", value: "Apply the relevant update referenced in Cisco Security Advisory cisco-sa-20130626-sma." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:content_security_management_appliance"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("cisco_sma_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion", "Host/AsyncOS/Cisco Content Security Management Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/Version'); if (ver =~ "^[0-6]\." \|\| ver =~ "^7\.[012]\.") # 7.2 and earlier display_fix = '7.9.1-102'; else if (ver =~ "^7\.7\.") display_fix = '7.9.1-102'; else if (ver =~ "^7\.8\.") display_fix = '7.9.1-102'; else if (ver =~ "^7\.9\.") display_fix = '7.9.1-102'; else if (ver =~ "^8\.0\.") display_fix = '8.0.0-404'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver); if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0);

NASL family	CISCO
NASL id	CISCO-SA-20130626-ESA.NASL
description	According to its self-reported version, the Cisco AsyncOS running on the remote Cisco Email Security (ESA) appliance is affected by multiple vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386)
last seen	2020-06-01
modified	2020-06-02
plugin id	69076
published	2013-07-26
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/69076
title	Multiple Vulnerabilities in Cisco Email Security Appliance (cisco-sa-20130626-esa)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69076); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_cve_id("CVE-2013-3384", "CVE-2013-3385", "CVE-2013-3386"); script_bugtraq_id(60805, 60806, 60807); script_xref(name:"CISCO-BUG-ID", value:"CSCzv25573"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv44633"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv63329"); script_xref(name:"CISCO-SA", value:"cisco-sa-20130626-esa"); script_name(english:"Multiple Vulnerabilities in Cisco Email Security Appliance (cisco-sa-20130626-esa)"); script_summary(english:"Checks ESA version"); script_set_attribute(attribute:"synopsis", value: "The remote security appliance is missing a vendor-supplied security patch."); script_set_attribute( attribute:"description", value: "According to its self-reported version, the Cisco AsyncOS running on the remote Cisco Email Security (ESA) appliance is affected by multiple vulnerabilities : - An unspecified vulnerability exists in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385) - A denial of service vulnerability exists in the management GUI that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3386)" ); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e9e55d4e"); script_set_attribute( attribute:"solution", value: "Apply the relevant update referenced in Cisco Security Advisory cisco-sa-20130626-esa." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:email_security_appliance"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:email_security_appliance_firmware"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("cisco_esa_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Email Security Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/Version'); if (ver =~ "^[0-6]\." \|\| ver =~ "^7\.[01]\.") # 7.1 and prior display_fix = '7.1.5-106'; else if (ver =~ "^7\.3\.") display_fix = '8.0.0-671'; else if (ver =~ "^7\.5\.") display_fix = '7.6.3-019'; else if (ver =~ "^7\.6\.") display_fix = '7.6.3-019'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver); if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0);

NASL family	CISCO
NASL id	CISCO-SA-20130626-WSA.NASL
description	According to its self-reported version, the version of Cisco Web Security Appliance running on the remote host has the following vulnerabilities : - Multiple unspecified vulnerabilities exist in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3383, CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385)
last seen	2020-06-01
modified	2020-06-02
plugin id	69082
published	2013-07-26
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/69082
title	Multiple Vulnerabilities in Cisco Web Security Appliance (cisco-sa-20130626-wsa)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69082); script_version("1.6"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_cve_id("CVE-2013-3383", "CVE-2013-3384", "CVE-2013-3385"); script_bugtraq_id(60804, 60805, 60807); script_xref(name:"CISCO-BUG-ID", value:"CSCzv58669"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv69294"); script_xref(name:"CISCO-BUG-ID", value:"CSCzv85726"); script_xref(name:"CISCO-SA", value:"cisco-sa-20130626-wsa"); script_name(english:"Multiple Vulnerabilities in Cisco Web Security Appliance (cisco-sa-20130626-wsa)"); script_summary(english:"Checks WSA version"); script_set_attribute(attribute:"synopsis", value:"The remote security appliance is missing a vendor-supplied patch."); script_set_attribute( attribute:"description", value: "According to its self-reported version, the version of Cisco Web Security Appliance running on the remote host has the following vulnerabilities : - Multiple unspecified vulnerabilities exist in the web framework that could allow a remote, authenticated attacker to execute arbitrary commands. (CVE-2013-3383, CVE-2013-3384) - A denial of service vulnerability exists in the web framework that could allow a remote, unauthenticated attacker to make the system unresponsive. (CVE-2013-3385)" ); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ce4facb"); script_set_attribute( attribute:"solution", value: "Apply the relevant update referenced in Cisco Security Advisory cisco-sa-20130626-wsa." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:web_security_appliance"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("cisco_wsa_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Web Security Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/Version'); if (ver =~ "^[0-6]\." \|\| ver =~ "^7\.[01]\.") # 7.1 and prior display_fix = '7.1.3-033'; else if (ver =~ "^7\.5\.") display_fix = '7.5.0-838'; else if (ver =~ "^7\.7\.") display_fix = '7.7.0-602'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver); if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0);

Seebug

bulletinFamily	exploit
description	CVE(CAN) ID: CVE-2013-3384 Cisco Web Security Appliance是安全的Web网关，在一个平台上集成了恶意软件防护、应用可视化控制、策略控制等。Cisco IronPort AsyncOS是电子邮件安全设备。 Cisco Web Security Appliance设备上的IronPort AsyncOS在Web框架的实现上，以及Content Security Management Appliance设备和Email Security Appliance设备存在安全漏洞，经过身份验证的远程用户通过IPv4发送的URL特制命令行，利用此漏洞可执行任意命令。 0 Cisco Web Security Appliance <= 7.7.0-550 Cisco Web Security Appliance <= 7.5.0-838 Cisco Web Security Appliance <= 7.1.3-013 Cisco Email Security Appliance <= 7.6.3-019 Cisco Email Security Appliance <= 7.5.2-203 Cisco Email Security Appliance <= 7.3.2-026 Cisco Email Security Appliance <= 7.1.5-104 Cisco Content Security Management Appliance <= 7.9.1-102 Cisco Content Security Management Appliance <= 7.7.0-213 Cisco Content Security Management Appliance <= 7.2.2-110 厂商补丁： Cisco ----- Cisco已经为此发布了一个安全公告（cisco-sa-20130626-wsa）以及相应补丁: cisco-sa-20130626-wsa：Multiple Vulnerabilities in Cisco Web Security Appliance 链接：http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa
id	SSV:60868
last seen	2017-11-19
modified	2013-07-02
published	2013-07-02
reporter	Root
title	Cisco Web Security Appliance Web框架任意命令执行漏洞(CVE-2013-3384)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Seebug

References