Vulnerability in Novell's SSL-VPN solution
Novell has released an update for its Novell Access Manager SSL-VPN solution, which prevents users from being able to circumvent security policies to obtain access to arbitrary network resources. The source of the problem lies in the actX.ocx Active X control, which creates a file policy.txt during installation. This file specifies security policies. According to the bug report, the control sets the wrong privileges for the file, so that non-privileged users have access to and can modify this file. Novell Access Manager Version 3.0 IR1 is affected. An updated control in which the bug has been fixed is available.
- Fix for SSL-VPN Security vulnerability allowing users to bypass configured traffic policy with ActiveX based connections, advisory from Novell