Executive Summary
Summary | |
---|---|
Title | Clientless SSL VPN products break web browser domain-based security models |
Informations | |||
---|---|---|---|
Name | VU#261869 | First vendor Publication | 2009-11-30 |
Vendor | VU-CERT | Last vendor Modification | 2010-04-06 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#261869Clientless SSL VPN products break web browser domain-based security modelsOverviewClientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.I. DescriptionWeb browsers enforce the same origin policy to prevent one site's active content (such as JavaScript) from accessing or modifying another site's data. For instance, active content hosted at http://<example.com>/page1.html can access DOM objects on http://<example.com>/page2.html, but cannot access objects hosted at http://<example.net>/page.html. Many clientless SSL VPN products retrieve content from different sites, then present that content as coming from the SSL VPN, effectively circumventing browser same origin restrictions.Clientless SSL VPNs provide browser-based access to internal and external resources without the need to install a traditional VPN client. Typically, these web VPNs are used to access intranet sites (such as an internal webmail server), but many have more capabilities, such as providing access to internal fileshares and remote desktop capabilities. To connect to a VPN, a web browser is used to authenticate to the web VPN, then the web VPN retrieves and presents the content from the requested pages.
If an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user's cookies for the web VPN domain. Included in this document.cookie are the web VPN session ID cookie itself and any globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user's VPN session and any other sessions accessed through the web VPN that rely on cookies for session identification. Additionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site. The hidden frame could log all keys pressed in the second, benign frame and submit these keypresses as parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN syntax. Note that if the VPN server is allowed to connect to arbitrary Internet sites, these vulnerabilities can be exploited by any site on the Internet. II. ImpactBy convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02.III. SolutionThere is no solution to this problem. Depending on their specific configuration and location in the network these devices may be impossible to operate securely. Administrators are encouraged to view the below workarounds and see the systems affected section of this document for more information about specific vendors.Limit URL rewriting to trusted domains
Referenceshttps://developer.mozilla.org/En/Same_origin_policy_for_JavaScript https://developer.mozilla.org/en/DOM/document.cookie http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy http://www.owasp.org/index.php/Category:OWASP_Cookies_Database http://www.owasp.org/index.php/Testing_for_Session_Management_Schema_(OWASP-SM-001)#Black_Box_Testing_and_Examples http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html#wp1404057 http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046886.html http://www.blackhat.com/presentations/bh-usa-08/Zusman/BH_US_08_Zusman_SSL_VPN_Abuse.pdf CreditThis issue was discovered by David Warren and Ryan Giobbi. Much of the original research into this issue was done by Michal Zalewski and Mike Zusman. This document was written by David Warren and Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/261869 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61195 | Stonegate Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy By... |
61194 | Nortel Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass |
61193 | Juniper Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass |
61192 | Citrix Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass |
61191 | Cisco ASA Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy By... |
61190 | SonicWALL Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy By... |