Feeds

Cisco and Juniper 'clientless' VPNs expose netizens

No cure for authentication bypass

SANS - Survey on application security programs

Virtual private networking software from Cisco Systems, Juniper, and other manufacturers can make users susceptible to a variety of web-based attacks, the US Computer Emergency Readiness Team warned on Monday.

So-called clientless SSL VPN products, which provide browser-based access to intranets, email and other internal resources, expose users to attacks that allow eavesdroppers to view passwords and keystrokes. Of the 90 companies known to market products that use the technology, Cisco, Juniper, SafeNet and Sonic Wall are known to be affected, while it's unclear if an additional 77 are vulnerable.

The weakness can be exploited only in attacks that are narrowly targeted at a particular website or domain, so there's not much chance of attack code going public that automates the process. But given the wealth of proprietary information hiding behind the typical VPN, it can nonetheless be used by determined attackers to bypass a website's authentication.

"It does look like a legitimate concern," said independent hacker Chris Paget. "I would be quite concerned if my site was working in the way described in the advisory. It's definitely a vulnerability and definitely something people should be aware of."

Clientless SSL subverts what's known as the same origin policy. That's the fundamental tenet of web security that forbids javascript, cookies and other content on one domain name from being available to a separate internet address.

Clientless SSL VPNs allow users to tunnel through a website that's protected by secure sockets layer encryption when accessing webmail, intranets and other sites. In the process, third-party hyperlinks and cookies are converted so they can be used by the VPN. Attackers can cause the content to be altered in a way that allows session IDs used to authenticate users to be stolen or modified.

"By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN," the CERT advisory stated. "This effectively eliminates same origin policy restrictions in all browsers."

The technique can be used to subvert domain-based content restrictions in Internet Explorer security zones and the NoScript addon for Firefox.

There is no solution to the weakness, the advisory warns. "Depending on their specific configuration and location in the network, these devices may be impossible to operate securely." Given the severity of the advisory, it would behoove clientless SSL VPN users to check with their supplier to find out if their particular implementation is vulnerable.

The issue was discovered by researchers David Warren and Ryan Giobbi, with help from Michael Zalewski. The advisory is here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.