Web VPN solutions circumvent browser security model
US-CERT has stated that clientless SSL VPN products from various vendors' tear a hole in browser security mechanisms, allowing theft of cookies and access data. Clientless SSL VPNs rely on a secure internet connection between a user's web browser and a company web server serving various applications for out-of-office staff and providing access to additional intranet services. The solutions are known as 'clientless' because they do not require a dedicated VPN client.
To make specific resources externally available via http, the web VPN solution has to rewrite URLs – so http://www.intranet.example.com/mail.html, for example, becomes https://webvpnserver/www.intranet.example.com. As a result, all URLs start with the same domain, irrespective of where on the intranet the content originates. Cookies and references to objects such as document.cookies delivered by web applications are also rewritten by the VPN solution. But, according to US-CERT, in doing so, VPN products are circumventing browser same origin policies, which prevent objects and scripts from accessing data and objects loaded from other domains. Same origin policies are based on the domain name, but under an SSL VPN this is always the same – webvpnserver in our example above.
According to US-CERT, an attacker could in principle set up an HTML intranet page which used the document.cookie object to read all of a victim's cookies. Although the attacker would need to prevent the VPN server from rewriting this object. According to the report, this could be achieved by obfuscating the object in the source code. Once an attacker has a victim's cookies, he is able to take over all the victim's connections to intranet servers.
Using a concealed frame, it is reported to be possible to read a victim's key presses in another, visible frame and send them to the attacker's server. The problem is particularly thorny if use of the SSL VPN is not restricted to accessing and rewriting URLs for the intranet, but is also responsible for access to, and rewrites URLs for, external web servers.
The report lists a large number of vendors who are potentially affected, although only Cisco, Juniper, SafeNet and SonicWall having so far been confirmed as being vulnerable to this problem. Vendors who are not affected include Extreme Networks, Kerio, McAfee and Novell. Other vendors can be assumed to have not yet responded to US-CERT. There is no quick-fix in sight for the affected products. The report does, however, list workarounds which should mitigate the problem – administrators are advised to restrict URL rewriting to trusted domains and to limit access to as few domains as possible. US-CERT also suggests deactivating any URL hiding features.