-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Cisco ACE XML Gateway and WAF Information Disclosure Vulnerability
http://www.cert-in.org.in/vulnerability/civn-2009-116.htm
Original Issue Date: October 07, 2009
Severity Rating:Medium
Systems Affected
Cisco ACE XML Gateway versions prior to 6.1
Cisco ACE Web Application Firewall versions prior to 6.1
Overview
Cisco Application Control Engine contains a vulnerability that could allow
an unauthenticated, remote attacker to view sensitive information.
Description
Cisco ACE (Application Control Engine) module is used in Cisco switches and
routers to load balancing, content switching and application delivery
solution. The Cisco ACE XML Gateway is a component, which secure and
accelerate Web Services. The Cisco ACE XML WAF (Web Application Firewall)
is another component which protect Web Services against XML-based Attacks.
A vulnerability has been reported in ACE which exists due to unsafe
handling of data included in error messages. When an error occurs, if the
application does not properly handle the error output, the application will
return an internal network address to the user. The disclosed address is
not the address of the AXG or WAF, but an address of its client.
An unauthenticated, remote attacker could exploit this vulnerability by
sending a malformed network request to the application, triggering an error
condition. As a result, the application return an error message to the
user containing sensitive information.
Solution
Upgrade to version 6.1 as suggested at below
http://www.cisco.com/warp/public/707/cisco-sr-20090925-axg.shtml
Vendor Information
CISCO
http://www.cisco.com/warp/public/707/cisco-sr-20090925-axg.shtml
References
CISCO
http://www.cisco.com/warp/public/707/cisco-sr-20090925-axg.shtml
VUPEN
http://www.vupen.com/english/advisories/2009/2778
Secunia
http://secunia.com/advisories/36879/
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSsyABnWXeYNsoT30AQqpvQf8DP1mtRiHV4uywTUbeKA++oRh+zDLpyQp
SS8cF4QEUhe5EFNamkHISZ4EI7ZH/EH31Vu4gFbP6bEyZLci8pVanubxfnRKMxsG
OysqG0vY4lYaaPT4AhAqUNHYmtYQVngzO4bzaBG4GXSARhnKomdsBDfcwMm6xEbq
piJn8n1RKfPGemfG0aOzknLUye2+EwcanN0384CBD3747LMkUe6oaAiTXITk52E7
vd7C8Ii+da1ER5A7DyClen32EvG6TqpuOKWf3MaOn552i1FBLrAP2CPeux7bMieq
tvyPPiJ2+Grckl49ZK+hn3GhDqk8YEBcA5LNfmWapVG1tA5qYbhDbw==
=X0S1
-----END PGP SIGNATURE-----
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.
No comments:
Post a Comment