Clientless SSL VPN products vulnerable, says US-CERT

US-CERT this week warned of a vulnerability that impacts a host of clientless SSL VPN products and could lead to bypassed authentication and other internet attacks.

Clientless SSL products provide web-based access to intranet sites, internal file shares and remote desktops, without needing to install a traditional VPN client.

Many of these products operate in a way that bypasses fundamental web browser domain-based security mechanisms, US-CERT said. Products from Cisco, Citrix, McAfee, Intel and a number of other vendors are affected.

The security mechanism that is bypassed is the same-origin policy, which is enforced by web browsers to prevent active content, such as JavaScript, hosted on one site from accessing or modifying data on a different site. Many clientless VPN products retrieve content from different sites and then present that content as coming from the SSL VPN, circumventing the same-origin restrictions.

Source

This entry was posted on Friday, December 4th, 2009 at 8:12 amand is filed under SSL, VPN, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply