Executive Summary

Summary
Title Clientless SSL VPN products break web browser domain-based security models
Informations
Name VU#261869 First vendor Publication 2009-11-30
Vendor VU-CERT Last vendor Modification 2010-04-06
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#261869

Clientless SSL VPN products break web browser domain-based security models

Overview

Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

I. Description

Web browsers enforce the same origin policy to prevent one site's active content (such as JavaScript) from accessing or modifying another site's data. For instance, active content hosted at http://<example.com>/page1.html can access DOM objects on http://<example.com>/page2.html, but cannot access objects hosted at http://<example.net>/page.html. Many clientless SSL VPN products retrieve content from different sites, then present that content as coming from the SSL VPN, effectively circumventing browser same origin restrictions.

Clientless SSL VPNs provide browser-based access to internal and external resources without the need to install a traditional VPN client. Typically, these web VPNs are used to access intranet sites (such as an internal webmail server), but many have more capabilities, such as providing access to internal fileshares and remote desktop capabilities. To connect to a VPN, a web browser is used to authenticate to the web VPN, then the web VPN retrieves and presents the content from the requested pages.

Web VPN servers interact with clients using a process similar to what is described below:

  1. The user presents credentials to the web VPN using a web browser. The authentication can be done through username and password submission, or can involve multi-factor authentication.
  2. The web VPN authenticates the user and assigns an ID to the session, which is sent to the user's browser in the form of a cookie.
  3. The user can then browse internal resources, such as a webmail server or intranet webserver. URLs as viewed by the user's web browser may be similar to https://<webvpnserver>/www.intranet.example.com
As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link to http://<www.intranet.example.com>/mail.html becomes https://<webvpnserver>/www.intranet.example.com/mail.html. Cookies set by the requested webserver may be converted into globally unique cookies before being passed to the user's browser, which prevents collision between two identically named cookies from different requested domains. For example, a sessionid cookie set by intranet.example.com could be renamed to intranet.example.com_sessionid before it is sent from the web VPN to the user's browser . Additionally, the web VPN may replace references to specific HTML DOM objects, such as document.cookie. These DOM objects may be replaced with script that returns the value for that DOM object as if it had been accessed in the context of the requested site's domain.

If an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user's cookies for the web VPN domain. Included in this document.cookie are the web VPN session ID cookie itself and any globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user's VPN session and any other sessions accessed through the web VPN that rely on cookies for session identification.

Additionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site. The hidden frame could log all keys pressed in the second, benign frame and submit these keypresses as parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN syntax.

Note that if the VPN server is allowed to connect to arbitrary Internet sites, these vulnerabilities can be exploited by any site on the Internet.

II. Impact

By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02.

III. Solution

There is no solution to this problem. Depending on their specific configuration and location in the network these devices may be impossible to operate securely. Administrators are encouraged to view the below workarounds and see the systems affected section of this document for more information about specific vendors.

Limit URL rewriting to trusted domains

If supported by the VPN server, URLs should only be rewritten for trusted internal sites. All other sites and domains should not be accessible through the VPN server.

Since an attacker only needs to convince a user to visit web page being viewed through the VPN to exploit this vulnerability, this workaround is likely to be less effective if there are a large number of hosts or domains that can be accessed through the VPN server. When deciding which sites can be visited through use of the VPN server, it is important to remember that all allowed sites will operate within the same security context in the web browser.

Limit VPN server network connectivity to trusted domains

It may be possible to configure the VPN device to only access specific network domains. This restriction may also be possible by using firewall rules.

Disable URL hiding features

Obfuscating URLs hides the destination page from the end user. This feature can be used by an attacker to hide the destination page of any links they send. For example, https://<vpn.example.com>/attack-site.com vs https://<vpn.example.com>/778928801

Systems Affected


Any clientless, browser-based SSL VPN that proxies multiple domains as a single domain violates the same origin policy and is considered to be vulnerable. Vendors of such products are listed as "vulnerable."

Clientless SSL VPN products ship with a variety of default configurations and available security features. Some products by default provide limited or no access and require an administrator to enable specific domains (or all domains). Depending on functional and security requirements, network architecture, and available security features, it may be possible to operate a clientless SSL VPN in a way that minimizes the potential impact of these vulnerabilities. Users are encouraged to review product documentation and features to determine whether a clientless SSL VPN meets security requirements.

VendorStatusDate NotifiedDate Updated
3com IncUnknown2009-10-192009-10-19
ACCESSUnknown2009-10-192009-10-19
aep NETWORKSVulnerable2009-11-062009-12-17
Alcatel-LucentUnknown2009-10-192009-10-19
Avaya, Inc.Unknown2009-10-192009-10-19
Barracuda NetworksUnknown2009-09-242009-12-04
Check Point Software TechnologiesVulnerable2009-09-152009-12-16
Cisco Systems, Inc.Vulnerable2009-09-242009-12-17
CitrixVulnerable2009-09-242009-12-16
Computer AssociatesNot Vulnerable2009-10-192009-12-17
Conectiva Inc.Unknown2009-10-192009-10-19
D-Link Systems, Inc.Unknown2009-10-192009-10-19
Debian GNU/LinuxUnknown2009-10-192009-10-19
DragonFly BSD ProjectUnknown2009-10-192009-10-19
EMC CorporationUnknown2009-10-192009-10-19
Engarde Secure LinuxUnknown2009-10-192009-10-19
Enterasys NetworksUnknown2009-10-192009-10-19
EricssonUnknown2009-10-192009-10-19
eSoft, Inc.Unknown2009-10-192009-10-19
Extreme NetworksNot Vulnerable2009-10-192009-12-04
F5 Networks, Inc.Unknown2009-09-162009-09-16
Fedora ProjectNot Vulnerable2009-10-192009-12-04
Force10 Networks, Inc.Unknown2009-10-192009-10-19
Fortinet, Inc.Unknown2009-10-192009-10-19
Foundry Networks, Inc.Unknown2009-10-192009-10-19
FreeBSD, Inc.Unknown2009-10-192009-10-19
FujitsuUnknown2009-10-192009-10-19
Gentoo LinuxUnknown2009-10-192009-10-19
Global Technology AssociatesUnknown2009-10-192009-10-19
Hewlett-Packard CompanyUnknown2009-10-192009-10-19
HitachiUnknown2009-10-192009-10-19
IBM CorporationUnknown2009-10-192009-10-19
IBM eServerUnknown2009-10-192009-10-19
InfobloxUnknown2009-10-192009-10-19
Intel CorporationNot Vulnerable2009-10-192009-12-04
Internet Security Systems, Inc.Not Vulnerable2009-10-192009-12-15
IntotoUnknown2009-10-192009-10-19
IP FilterUnknown2009-10-192009-10-19
IP Infusion, Inc.Unknown2009-10-192009-10-19
Juniper Networks, Inc.Vulnerable2009-09-242009-12-17
Kerio TechnologiesNot Vulnerable2009-09-242009-10-01
Luminous NetworksUnknown2009-10-192009-10-19
m0n0wallUnknown2009-10-192009-10-19
Mandriva S. A.Unknown2009-10-192009-10-19
McAfeeNot Vulnerable2009-09-152009-12-04
Microsoft CorporationVulnerable2009-09-242009-12-07
MontaVista Software, Inc.Unknown2009-10-192009-10-19
Multitech, Inc.Unknown2009-10-192009-10-19
NEC CorporationUnknown2009-10-192009-10-19
NetAppUnknown2009-10-192009-10-19
NetBSDUnknown2009-10-192009-10-19
netfilterUnknown2009-10-192009-10-19
Netgear, Inc.Unknown2009-10-202009-10-20
NokiaUnknown2009-10-192009-10-19
Nortel Networks, Inc.Vulnerable2009-10-192009-12-16
Novell, Inc.Not Vulnerable2009-09-242009-12-04
OpenBSDUnknown2009-10-192009-10-19
OpenVPN TechnologiesVulnerable2009-11-132009-12-17
Openwall GNU/*/LinuxUnknown2009-10-192009-10-19
PePLinkNot Vulnerable2009-10-192009-12-04
Process SoftwareUnknown2009-10-192009-10-19
Q1 LabsNot Vulnerable2009-10-192009-12-04
QNX Software Systems Inc.Unknown2009-10-192009-10-19
QuaggaUnknown2009-10-192009-10-19
RadWare, Inc.Unknown2009-10-192009-10-19
Red Hat, Inc.Not Vulnerable2009-10-192009-12-04
Redback Networks, Inc.Unknown2009-10-192009-10-19
SafeNetVulnerable2009-10-192009-12-03
Secureworx, Inc.Unknown2009-10-192009-10-19
Silicon Graphics, Inc.Unknown2009-10-192009-10-19
SmoothWallUnknown2009-10-192009-10-19
SnortUnknown2009-10-192009-10-19
Soapstone NetworksUnknown2009-10-192009-10-19
SonicWallVulnerable2009-09-152009-12-04
SourcefireUnknown2009-10-192009-10-19
StonesoftVulnerable2009-10-192009-12-17
Sun Microsystems, Inc.Vulnerable2009-10-192009-12-08
SUSE LinuxUnknown2009-10-192009-10-19
SymantecUnknown2009-09-152009-09-15
The SCO GroupUnknown2009-10-192009-10-19
TurbolinuxUnknown2009-10-192009-10-19
U4EA Technologies, Inc.Unknown2009-10-192009-10-19
UbuntuUnknown2009-10-192009-10-19
UnisysUnknown2009-10-192009-10-19
VMwareUnknown2009-10-192009-10-19
VyattaUnknown2009-10-192009-10-19
Watchguard Technologies, Inc.Unknown2009-10-192009-10-19
WebminNot Vulnerable2009-09-252009-10-02
Wind River Systems, Inc.Unknown2009-10-192009-10-19
ZyXELUnknown2009-10-192009-10-19

References



https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
https://developer.mozilla.org/en/DOM/document.cookie
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
http://www.owasp.org/index.php/Category:OWASP_Cookies_Database
http://www.owasp.org/index.php/Testing_for_Session_Management_Schema_(OWASP-SM-001)#Black_Box_Testing_and_Examples
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html#wp1404057
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046886.html
http://www.blackhat.com/presentations/bh-usa-08/Zusman/BH_US_08_Zusman_SSL_VPN_Abuse.pdf

Credit

This issue was discovered by David Warren and Ryan Giobbi. Much of the original research into this issue was done by Michal Zalewski and Mike Zusman.

This document was written by David Warren and Ryan Giobbi.

Other Information

Date Public:2009-11-30
Date First Published:2009-11-30
Date Last Updated:2010-04-06
CERT Advisory: 
CVE-ID(s):CVE-2009-2631
NVD-ID(s):CVE-2009-2631
US-CERT Technical Alerts: 
Metric:45.00
Document Revision:177

Original Source

Url : http://www.kb.cert.org/vuls/id/261869

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1

Open Source Vulnerability Database (OSVDB)

Id Description
61195 Stonegate Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy By...

61194 Nortel Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass

61193 Juniper Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass

61192 Citrix Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass

61191 Cisco ASA Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy By...

61190 SonicWALL Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy By...