.Vulnerable Systems:
*Cisco Guard Appliance (Software Version 3.X)
*Cisco Guard Blade (Software Version 4.X)
*Cisco Guard Appliance [Software Version 5.0(3)]
*Cisco Guard Appliance [Software Version 5.1(5)]
The Cisco Guard DDoS Mitigation Appliance is a distributed denial-of-service (DDoS) protection system. Malicious DOS traffic is identified with a Cisco Detector and diverted to the Guard for attack mitigation. Under normal circumstances, the Guard plays no role in valid traffic; it is specifically designed to deal with large volumes of invalid traffic.
Cross Site Scripting (XSS) is an attack where a user follows a link that contains an embedded script. The link often looks valid, and sends the user to a valid site. The recipient website does not contain the link that is sent and sends a meta-refresh back to the user without validating the data it is sent. When receiving the meta-refresh, the web browser interprets the script as an instruction from the website and the script is executed on the user's machine .
In this case, when the anti-spoofing feature is enabled, all diverted HTTP traffic is inspected and then a meta-refresh is sent to the client containing the original request. If the original URL contains a script and a specific character sequence, the meta-refresh from the Guard will allow the client machine to execute the malicious script.
Several conditions are required to be true in order for the malicious script to be processed:
The client user must follow a URL with a specifically formatted, embedded script to a site protected by the Guard.
The Guard must be running active basic protection, going through basic/redirect protection.
The specially crafted http request must be diverted through the Guard, and processed by the Guard.
Only if all of the above conditions are met will the client receive the meta-refresh and process the embedded script.
Vendor Status:
Cisco has issued an update to correct this vulnerability
