News Stay informed about the latest enterprise technology news and product updates.

US CERT warns of clientless SSL VPN vulnerability

VPN software from Cisco Systems, Juniper and others make users susceptible to Web-based attacks, according to an advisory from the U.S. Computer Emergency Readiness Team.

Clientless SSL VPN products, which give employees access to company servers via a Web browser, operate in a way that could expose users to man-in-the-middle attacks, according to an advisory issued by the U.S. Computer Emergency Readiness Team (US CERT).
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The advisory lists dozens of affected vendors that provide SSL VPN products, including Cisco Systems Inc., Juniper Networks Inc., 3com Corp. and others. Clientless SSL VPNs break fundamental browser security mechanisms, the advisory warned. "An attacker could use these devices to bypass authentication or conduct other Web-based attacks."

The SSL VPN vulnerability is serious because clientless VPNs often give users access to internal webmail servers, internal fileshares and remote desktop capabilities, giving attackers a way into sensitive company data.

SSL VPN security:
Pen testing your VPN: Your VPN is a vital gateway into your network for your company's road warriors, telecommuters and other remote users. Pen testing a VPN is straightforward, and there are some common tools for the job. It's not much different from the rest of your pen testing routine and should be part of it.

To exploit the SSL VPN vulnerability, an attacker would have to target a specific domain and trick a user to visit a malicious webpage, enabling them to obtain VPN session tokens or read or modify content from any site access through a clientless SSL VPN. The method could allow an attacker to capture keystrokes of a victim interacting with a webpage.

"This effectively eliminates same origin policy restrictions in all browsers," the US CERT said. "Because all content runs at the privilege level of the Web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed."

There is no known fix to the vulnerability. The advisory urges administrators to deploy workarounds and check with the specific clientless VPN vendor for product specific instructions. Administrators can limit URL rewriting to trusted domains, configure the VPN device to only access specific network domains and disable URL hiding features.

The vulnerability was discovered by security researchers David Warren and Ryan Giobbi, with help from Michael Zalewski.

Dig Deeper on VPN security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.