Feeds

Cisco and Juniper 'clientless' VPNs expose netizens

No cure for authentication bypass

Website security in corporate America

Virtual private networking software from Cisco Systems, Juniper, and other manufacturers can make users susceptible to a variety of web-based attacks, the US Computer Emergency Readiness Team warned on Monday.

So-called clientless SSL VPN products, which provide browser-based access to intranets, email and other internal resources, expose users to attacks that allow eavesdroppers to view passwords and keystrokes. Of the 90 companies known to market products that use the technology, Cisco, Juniper, SafeNet and Sonic Wall are known to be affected, while it's unclear if an additional 77 are vulnerable.

The weakness can be exploited only in attacks that are narrowly targeted at a particular website or domain, so there's not much chance of attack code going public that automates the process. But given the wealth of proprietary information hiding behind the typical VPN, it can nonetheless be used by determined attackers to bypass a website's authentication.

"It does look like a legitimate concern," said independent hacker Chris Paget. "I would be quite concerned if my site was working in the way described in the advisory. It's definitely a vulnerability and definitely something people should be aware of."

Clientless SSL subverts what's known as the same origin policy. That's the fundamental tenet of web security that forbids javascript, cookies and other content on one domain name from being available to a separate internet address.

Clientless SSL VPNs allow users to tunnel through a website that's protected by secure sockets layer encryption when accessing webmail, intranets and other sites. In the process, third-party hyperlinks and cookies are converted so they can be used by the VPN. Attackers can cause the content to be altered in a way that allows session IDs used to authenticate users to be stolen or modified.

"By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN," the CERT advisory stated. "This effectively eliminates same origin policy restrictions in all browsers."

The technique can be used to subvert domain-based content restrictions in Internet Explorer security zones and the NoScript addon for Firefox.

There is no solution to the weakness, the advisory warns. "Depending on their specific configuration and location in the network, these devices may be impossible to operate securely." Given the severity of the advisory, it would behoove clientless SSL VPN users to check with their supplier to find out if their particular implementation is vulnerable.

The issue was discovered by researchers David Warren and Ryan Giobbi, with help from Michael Zalewski. The advisory is here. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.