Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Multiple Microsoft Forefront UAG Cross-Site Scripting Vulnerabilities (MS10-089)

Subscribe

Check Point Reference: CPAI-2010-312
Date Published:
Preemptive Since:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS10-089
Industry Reference(s): CVE-2010-2733
CVE-2010-2734
CVE-2010-3936
Protection Provided by: Security Gateway
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Forefront Unified Access Gateway 2010
Forefront Unified Access Gateway 2010 Update 1
Forefront Unified Access Gateway 2010 Update 2
Vulnerability Description
Multiple cross-site scripting vulnerabilities have been reported in Microsoft Forefront Unified Access Gateway (UAG). Microsoft Forefront UAG is a virtual private networking solution that provides secure remote access to corporate networks for remote employees and business partners. It incorporates various remote access technologies such as VPN, SSL-VPN, DirectAccess, and Remote Desktop Services. A remote attacker could exploit these issues to execute a cross-site scripting attack that could allow him to issue commands to the UAG server.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-089 
Vulnerability Details
These vulnerabilities result from improper input validation of the HTTP stream. This error provides the ability to execute a cross-site scripting attack through the UAG mobile portal. An attacker could exploit these issues by having a user visit the affected Web site using a specially crafted URL. Successful exploitation of these vulnerabilities could allow the attacker to inject a client-side script in the user's browser.

Protection Overview
This protection will detect and block Cross-Site Scripting attacks. No update is required to address these vulnerabilities.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > Application Layer.
2. In the right pane, double-click the Cross-Site Scripting protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings
4. The protection can be applied either to all HTTP traffic or to selected web servers.

Important note:
- If you choose to apply the protection to all HTTP traffic, set the security level to High in order to block the CVE-2010-2733 and the CVE-2010-2734 vulnerabilities. In order to block the CVE-2010-3936 vulnerability, it is sufficient to set the security level to Low.

- If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Configure Default..

III. Important note:
Set the Security Level to High in order to block the CVE-2010-2733 and the CVE-2010-2734  vulnerabilities. In order to block the CVE-2010-3936 vulnerability, it is sufficient to set the security level to Low.

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL

VPN-1 NGX R65 & VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Application Layer > Cross Site Scripting.
2. In the configuration pane, under Settings > Mode, check Active.
3. The protection can be applied either to all HTTP traffic or to selected web servers. 

Important note:
Set the Security Level to High in order to block the CVE-2010-2733 and the CVE-2010-2734 vulnerabilities. In order to block the CVE-2010-3936 vulnerability, it is sufficient to set the security level to Low.

If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Edit.
III. Next to "Cross Site Scripting" click Advanced.
 
IV. Important note:
Set the Security Level to High in order to block the CVE-2010-2733 and the CVE-2010-2734 vulnerabilities. In order to block the CVE-2010-3936 vulnerability, it is sufficient to set the security level to Low.

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the XSS Attacks protection group.
3. Click User Defined XSS Alert (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: XSS Attacks
Description: User Defined XSS Alert