Cisco Web Security Appliance Filter Bypass Vulnerability

Vulnerability

The vulnerability exists in the Web-Based Reputation Score (WBRS) engine of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA). It arises from incorrect handling of certain character combinations inserted into a URL. Affected versions include 11.7, 11.8, 12.0, 12.5, and 14.0 (prior to 14.0.2). Versions earlier than 11.7 and 14.5 are not vulnerable [1].

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by sending crafted URLs to an affected WSA device. No authentication or special network access is required; the attacker need only submit HTTP requests through the proxy. The crafted URLs contain specific character sequences that the WBRS engine mishandles, causing it to evaluate the URL incorrectly against configured web request policies [1].

Impact

Successful exploitation allows the attacker to bypass the web proxy's policy enforcement and access web content that would otherwise be blocked. This violates the intended access controls and permits unauthorized retrieval of restricted content [1].

Mitigation

Cisco released a fix in version 14.0.2 for WSA running 14.0. For releases 11.7 through 12.5, customers should migrate to a fixed release (e.g., 14.0.2 or later). No workarounds are described in the advisory. Users are advised to upgrade to the latest appropriate release to mitigate the vulnerability [1].