Clientless SSL VPN products from multiple vendors put users at risk of a variety of web-based attacks because they “break fundamental browser security mechanisms”. The announcement was made yesterday by the US CERT through a security advisory.
So far, it is known that products from Juniper, Cisco Systems, SafeNet and Sonic Wall are affected.
It also says that “by convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN.” The attacker could thus manage to capture keystrokes while a user is interacting with a web page.
Since there is yet no solution to this problem, administrators are advised to limit URL rewriting and VPN server network connectivity to trusted domains, disable URL hiding features, and to contact the manufacturer of the product(s) they are using to discover if they are affected by the vulnerability.