Clientless SSL VPN products, which give employees access to company servers via a Web browser, operate in a way that could expose users to man-in-the-middle attacks, according to an advisory issued by the U.S. Computer Emergency Readiness Team (US CERT).
The advisory lists dozens of affected vendors that provide SSL VPN products, including Cisco Systems Inc., Juniper Networks Inc., 3com Corp. and others. Clientless SSL VPNs break fundamental browser security mechanisms, the advisory warned. "An attacker could use these devices to bypass authentication or conduct other Web-based attacks."
The SSL VPN vulnerability is serious because clientless VPNs often give users access to internal webmail servers, internal fileshares and remote desktop capabilities, giving attackers a way into sensitive company data.
To exploit the SSL VPN vulnerability, an attacker would have to target a specific domain and trick a user to visit a malicious webpage, enabling them to obtain VPN session tokens or read or modify content from any site access through a clientless SSL VPN. The method could allow an attacker to capture keystrokes of a victim interacting with a webpage.
"This effectively eliminates same origin policy restrictions in all browsers," the US CERT said. "Because all content runs at the privilege level of the Web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed."
There is no known fix to the vulnerability. The advisory urges administrators to deploy workarounds and check with the specific clientless VPN vendor for product specific instructions. Administrators can limit URL rewriting to trusted domains, configure the VPN device to only access specific network domains and disable URL hiding features.
The vulnerability was discovered by security researchers David Warren and Ryan Giobbi, with help from Michael Zalewski.