Article

US CERT warns of clientless SSL VPN vulnerability

SearchSecurity.com Staff

Clientless SSL VPN products, which give employees access to company servers via a Web browser, operate in a way that could expose users to man-in-the-middle attacks, according to an advisory issued by the U.S. Computer Emergency Readiness Team (US CERT).

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The advisory lists dozens of affected vendors that provide SSL VPN products, including Cisco Systems Inc., Juniper Networks Inc., 3com Corp. and others. Clientless SSL VPNs break fundamental browser security mechanisms, the advisory warned. "An attacker could use these devices to bypass authentication or conduct other Web-based attacks."

The SSL VPN vulnerability is serious because clientless VPNs often give users access to internal webmail servers, internal fileshares and remote desktop capabilities, giving attackers a way into sensitive company data.

SSL VPN security:
Pen testing your VPN: Your VPN is a vital gateway into your network for your company's road warriors, telecommuters and other remote users. Pen testing a VPN is straightforward, and there are some common tools for the job. It's not much different from the rest of your pen testing routine and should be part of it.

To exploit the SSL VPN vulnerability, an attacker would have to target a specific domain and trick a user to visit a malicious webpage, enabling them to obtain VPN session tokens or read or modify content from any site access through a clientless SSL VPN. The method could allow an attacker to capture keystrokes of a victim interacting with a webpage.

"This effectively eliminates same origin policy restrictions in all browsers," the US CERT said. "Because all content runs at the privilege level of the Web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed."

There is no known fix to the vulnerability. The advisory urges administrators to deploy workarounds and check with the specific clientless VPN vendor for product specific instructions. Administrators can limit URL rewriting to trusted domains, configure the VPN device to only access specific network domains and disable URL hiding features.

The vulnerability was discovered by security researchers David Warren and Ryan Giobbi, with help from Michael Zalewski.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: