Full Disclosure mailing list archives

Re: Cisco ACE XML Gateway <= 6.0 Internal IPdisclosure

From: "Paul Oxman (poxman)" <poxman () cisco com>
Date: Fri, 25 Sep 2009 22:32:12 +0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Unmatched Request Discloses Client Internal
                         IP Address

http://www.cisco.com/warp/public/707/cisco-sr-20090925-axg.shtml

Revision: 1.0
=========

For Public Release 2009 September 25 1500 UTC (GMT)

- ---------------------------------------------------------------------

Cisco Response
==============

This is the Cisco PSIRT response to the statements made by Alejandro
Hernandez H. in his advisory: "Cisco ACE XML Gateway <= 6.0 Internal
IP disclosure".

The original email/advisory is available at 
http://seclists.org/fulldisclosure/2009/Sep/0369.html 

Cisco would like to thank Alejandro Hernandez H. for discovering and
reporting this vulnerability to Cisco.

This response is posted at the following link: 
http://www.cisco.com/warp/public/707/cisco-sr-20090925-axg.shtml

Additional Information
======================

This vulnerability is documented in Cisco bug ID: CSCtb82159.

For customers without access to Cisco's Bug Toolkit, the full Release
Note for Cisco Bug ID CSCtb82159 has been made available here, as
follows:

Symptom
+------

When generating a "Message-handling Errors" message, if an
appropriate error handler is not found, the response discloses the
Cisco ACE XML Gateway (AXG) and the Cisco ACE Web Application
Firewall (WAF) client internal IP address.

Conditions
+---------

All versions prior to system software version 6.1 are vulnerable.

This vulnerability affects the Cisco ACE XML Gateway and the Cisco
ACE Web Application Firewall.

Though the response by itself does not provide any way to compromise
the device, this behavior discloses potentially valuable information
about the internal network structure.

The disclosed address is not the address of the AXG or WAF, it is an
address of its client, which in many cases is a load balancer.

The Internal IP address is included in the message-handling errors
response if AXG or WAF was not able to find a matching handler for
the request.

Workaround
+---------

There is currently no workaround for this vulnerability.

Further Problem Description
+--------------------------

System software version 6.1 is expected to be available in November
2009.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Revision History
================

+----------------------------------------+
| Revision |                   | Initial |
| 1.0      | 2009-September-25 | public  |
|          |                   | release |
+----------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_po
licy.html
This includes  instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBSrzUbPOp/xnPFP7gEQJ38gCfeLV1Z2gsjSZFjC1oLVlO8XVxadkAn1RX
B32ChX1aNmbUP47dBgP/s/BF
=930b
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Cisco ACE XML Gateway <= 6.0 Internal IP disclosure nitrØus (Sep 24)
- Re: Cisco ACE XML Gateway <= 6.0 Internal IPdisclosure Paul Oxman (poxman) (Sep 25)
- <Possible follow-ups>
- Re: Cisco ACE XML Gateway <= 6.0 Internal IP disclosure Richard Cyrios (Sep 24)
  - Re: Cisco ACE XML Gateway <= 6.0 Internal IP disclosure Jeremy Brown (Sep 24)
  - Re: Cisco ACE XML Gateway <= 6.0 Internal IP disclosure Valdis . Kletnieks (Sep 25)