Clientless SSL VPN products break browser security mechanisms

Clientless SSL VPN products from multiple vendors put users at risk of a variety of web-based attacks because they “break fundamental browser security mechanisms”. The announcement was made yesterday by the US CERT through a security advisory.

So far, it is known that products from Juniper, Cisco Systems, SafeNet and Sonic Wall are affected.

“Web browsers enforce the same origin policy to prevent one site’s active content (such as JavaScript) from accessing or modifying another site’s data. Many clientless SSL VPN products retrieve content from different sites, then present that content as coming from the SSL VPN, effectively circumventing browser same origin restrictions,” states the CERT advisory.

It also says that “by convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN.” The attacker could thus manage to capture keystrokes while a user is interacting with a web page.

Since there is yet no solution to this problem, administrators are advised to limit URL rewriting and VPN server network connectivity to trusted domains, disable URL hiding features, and to contact the manufacturer of the product(s) they are using to discover if they are affected by the vulnerability.