Preemptive Protection against Cisco ASA Appliance WebVPN Cross Site Scripting Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2009-067
Date Published:
Preemptive Since:
Severity:
Source:	Bugtraq ID: 34307
Industry Reference(s):	CVE-2009-1220
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Cisco, ASA 5520 Cisco, IOS 7.2(2)22
Vulnerability Description Cisco ASA is vulnerable to cross-site scripting vulnerability. The vulnerability is caused by improper validation of user-supplied input by the index.html page. An attacker may leverage this issue via the Host HTTP header to execute script in a victim's Web browser and steal cookie-based authentication credentials.

Update/Patch Available No solution available as of April 13, 2009.
Vulnerability Details An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious HTTP request.

Protection Overview

IPS-1 has been preemptive against this vulnerability since March 12, 2008. No update required. IPS-1 protection detects and blocks HTTP requests that have javascript tags in the HOST: header.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW2, and select the CGI Attacks protection group.
3. Click WordPress RSS Feed Generator self_link HTTP_HOST Cross Site Scripting (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: WWW/CGI Attacks Protection Group
Description: WordPress RSS Feed Generator self_link HTTP_HOST Cross Site Scripting

Legal Notice for Threat Center Advisories