Feeds

Cisco and Juniper 'clientless' VPNs expose netizens

No cure for authentication bypass

Security for virtualized datacentres

Virtual private networking software from Cisco Systems, Juniper, and other manufacturers can make users susceptible to a variety of web-based attacks, the US Computer Emergency Readiness Team warned on Monday.

So-called clientless SSL VPN products, which provide browser-based access to intranets, email and other internal resources, expose users to attacks that allow eavesdroppers to view passwords and keystrokes. Of the 90 companies known to market products that use the technology, Cisco, Juniper, SafeNet and Sonic Wall are known to be affected, while it's unclear if an additional 77 are vulnerable.

The weakness can be exploited only in attacks that are narrowly targeted at a particular website or domain, so there's not much chance of attack code going public that automates the process. But given the wealth of proprietary information hiding behind the typical VPN, it can nonetheless be used by determined attackers to bypass a website's authentication.

"It does look like a legitimate concern," said independent hacker Chris Paget. "I would be quite concerned if my site was working in the way described in the advisory. It's definitely a vulnerability and definitely something people should be aware of."

Clientless SSL subverts what's known as the same origin policy. That's the fundamental tenet of web security that forbids javascript, cookies and other content on one domain name from being available to a separate internet address.

Clientless SSL VPNs allow users to tunnel through a website that's protected by secure sockets layer encryption when accessing webmail, intranets and other sites. In the process, third-party hyperlinks and cookies are converted so they can be used by the VPN. Attackers can cause the content to be altered in a way that allows session IDs used to authenticate users to be stolen or modified.

"By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN," the CERT advisory stated. "This effectively eliminates same origin policy restrictions in all browsers."

The technique can be used to subvert domain-based content restrictions in Internet Explorer security zones and the NoScript addon for Firefox.

There is no solution to the weakness, the advisory warns. "Depending on their specific configuration and location in the network, these devices may be impossible to operate securely." Given the severity of the advisory, it would behoove clientless SSL VPN users to check with their supplier to find out if their particular implementation is vulnerable.

The issue was discovered by researchers David Warren and Ryan Giobbi, with help from Michael Zalewski. The advisory is here. ®

Secure remote control for conventional and virtual desktops

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.