Vigil@nce: Cisco ASA, bypassing WebVPN Bookmark
December 2009 by Vigil@nce
An authenticated attacker can use the WebVPN Bookmark feature, in
order to access to sites which are not limited by an ACL.
– Severity: 1/4
– Consequences: data reading
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 18/12/2009
IMPACTED PRODUCTS
– Cisco PIX/ASA Software
DESCRIPTION OF THE VULNERABILITY
The Cisco ASA product provides an access via a Clientless SSL VPN
(WebVPN).
The Bookmark feature is used by administrators to define a list of
urls that are frequently used.
In some cases, the administrator disables the direct url entry on
the interface. Users can thus only apparently access to sites
defined in the Bookmark.
However, the Bookmark feature is not a filter. If the
administrator did not define an ACL to limit urls, an attacker can
use ROT13 to access to other web sites.
CHARACTERISTICS
– Identifiers: 19609, VIGILANCE-VUL-9303
– Url: http://vigilance.fr/vulnerability/Cisco-ASA-bypassing-WebVPN-Bookmark-9303