Feeds

Cisco and Juniper 'clientless' VPNs expose netizens

No cure for authentication bypass

Beginner's guide to SSL certificates

Virtual private networking software from Cisco Systems, Juniper, and other manufacturers can make users susceptible to a variety of web-based attacks, the US Computer Emergency Readiness Team warned on Monday.

So-called clientless SSL VPN products, which provide browser-based access to intranets, email and other internal resources, expose users to attacks that allow eavesdroppers to view passwords and keystrokes. Of the 90 companies known to market products that use the technology, Cisco, Juniper, SafeNet and Sonic Wall are known to be affected, while it's unclear if an additional 77 are vulnerable.

The weakness can be exploited only in attacks that are narrowly targeted at a particular website or domain, so there's not much chance of attack code going public that automates the process. But given the wealth of proprietary information hiding behind the typical VPN, it can nonetheless be used by determined attackers to bypass a website's authentication.

"It does look like a legitimate concern," said independent hacker Chris Paget. "I would be quite concerned if my site was working in the way described in the advisory. It's definitely a vulnerability and definitely something people should be aware of."

Clientless SSL subverts what's known as the same origin policy. That's the fundamental tenet of web security that forbids javascript, cookies and other content on one domain name from being available to a separate internet address.

Clientless SSL VPNs allow users to tunnel through a website that's protected by secure sockets layer encryption when accessing webmail, intranets and other sites. In the process, third-party hyperlinks and cookies are converted so they can be used by the VPN. Attackers can cause the content to be altered in a way that allows session IDs used to authenticate users to be stolen or modified.

"By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN," the CERT advisory stated. "This effectively eliminates same origin policy restrictions in all browsers."

The technique can be used to subvert domain-based content restrictions in Internet Explorer security zones and the NoScript addon for Firefox.

There is no solution to the weakness, the advisory warns. "Depending on their specific configuration and location in the network, these devices may be impossible to operate securely." Given the severity of the advisory, it would behoove clientless SSL VPN users to check with their supplier to find out if their particular implementation is vulnerable.

The issue was discovered by researchers David Warren and Ryan Giobbi, with help from Michael Zalewski. The advisory is here. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.