In-Depth

In Brief

Cisco sign-on, IE cross-scripting lead vulnerabilities this week

• By Mathew Schwartz
• 04/14/2004

Cisco backdoor vulnerability

Cisco warned that a default username and password pair exist in all versions of its Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. “A user who logs in using this username has complete control of the device. This username cannot be disabled. There is no workaround,” notes the Cisco security advisory. Cisco has released a patch.

WLSE is a centralized console for rolling out and managing a Cisco wireless LAN (WLAN) infrastructure. HSE is hardware that monitors electronic business services in data centers, providing such things as fault and performance information. The vulnerability allows someone to access either product with full privileges, then add, modify, or remove users or change the device’s configuration.

Underlying the need to upgrade quickly, Cisco noted several potential attacks that exploit the vulnerability. On WLSE, an attacker could hide a rogue access point, then use it to monitor or access network resources, or launch difficult-to-trace attacks on other Web sites. An attacker could also modify Wi-Fi radio frequency information to disable an enterprise’s wireless access.

Using an exploited HSE, an attacker could likewise cloak attacks launched on others, or even redirect Web sites to different URLs.

For more information, visit: http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml

Internet Explorer Cross-Scripting Vulnerability Also Affects Outlook

Microsoft Internet Explorer (IE) contains a cross-domain scripting vulnerability. If exploited, an attacker could run arbitrary code with privileges equal to the user’s, and read or manipulate data in other domains or IE zones.

The vulnerability is in Internet Explorer’s ITS protocol handler, which doesn’t handle IE help files correctly. According to Microsoft, the help system uses “underlying components of Microsoft Internet Explorer to display help content” in such formats as HTML, ActiveX, Java, and the scripting languages JScript and Microsoft Visual Basic Scripting Edition. The problem arises when a piece of the help file can’t be found; ITS looks elsewhere for the help file, then confers local security privileges on the new help file, which might exist in a different domain or zone.

If an attacker tricks a user into viewing a specially crafted HTML page, or viewing an e-mail containing a specially crafted HTML page, it could run a script to exploit the flaw, resulting in the attacker being able to run arbitrary code on the user’s computer.

Programs that use the WebBrowser ActiveX control or IE’s HTML rendering engine may also be at risk. Such programs include not only IE, but also Outlook and Outlook Express.

CERT says vulnerability exploits are already in the wild, including the Ibiza Trojan software, Bugbear variants, and Bloodhound. “It is important to note that any arbitrary executable payload could be delivered via this vulnerability,” it cautions.

No fix is currently available. In the interim, Microsoft recommends administrators disable ITS protocol handlers, though warns to reinstate them following a patch, or else users will permanently lose some help functionality.

CERT recommends administrators disable ActiveX scripting and controls, warn users to “not follow unsolicited links,” and keep antivirus software updated to filter out viruses and worms that exploit the vulnerability.

Link to CERT advisory: http://www.us-cert.gov/cas/techalerts/TA04-099A.html