Operating System:

[Appliance]

Published:

17 December 2009

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1660
Clientless SSL VPN products break web browser domain-based security models
                             17 December 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Clientless SSL VPN products
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Unauthorised Access -- Remote with User Interaction
                   Reduced Security    -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2009-2631  

Original Bulletin: 
   http://www.kb.cert.org/vuls/id/261869

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#261869

Clientless SSL VPN products break web browser domain-based security models

Overview

Clientless SSL VPN products from multiple vendors operate in a way that breaks 
fundamental browser security mechanisms. An attacker could use these devices to 
bypass authentication or conduct other web-based attacks.

I. Description

Web browsers enforce the same origin policy to prevent one site's active content 
(such as JavaScript) from accessing or modifying another site's data. For 
instance, active content hosted at http://<example.com>/page1.html can access 
DOM objects on http://<example.com>/page2.html, but cannot access objects 
hosted at http://<example.net>/page.html. Many clientless SSL VPN products 
retrieve content from different sites, then present that content as coming from 
the SSL VPN, effectively circumventing browser same origin restrictions.

Clientless SSL VPNs provide browser-based access to internal and external 
resources without the need to install a traditional VPN client. Typically, 
these web VPNs are used to access intranet sites (such as an internal webmail 
server), but many have more capabilities, such as providing access to internal 
fileshares and remote desktop capabilities. To connect to a VPN, a web browser 
is used to authenticate to the web VPN, then the web VPN retrieves and presents 
the content from the requested pages.

Web VPN servers interact with clients using a process similar to what is 
described below:

   1. The user presents credentials to the web VPN using a web browser. The 
      authentication can be done through username and password submission, or 
      can involve multi-factor authentication.
   2. The web VPN authenticates the user and assigns an ID to the session, 
      which is sent to the user's browser in the form of a cookie.
   3. The user can then browse internal resources, such as a webmail server or 
      intranet webserver. URLs as viewed by the user's web browser may be 
      similar to https://<webvpnserver>/www.intranet.example.com

As the web VPN retrieves web pages, it rewrites hyperlinks so that they are 
accessible through the web VPN. For example, a link to 
http://<www.intranet.example.com>/mail.html becomes 
https://<webvpnserver>/www.intranet.example.com/mail.html. Cookies set by the 
requested webserver are converted into globally unique cookies before being 
passed to the user's browser, which prevents collision between two identically 
named cookies from different requested domains. For example, a sessionid cookie
st by intranet.example.com could be renamed to intranet.example.com_sessionid 
before it is sent from the web VPN to the user's browser . Additionally, the 
web VPN replaces references to specific HTML DOM objects, such as 
document.cookie. These DOM objects are replaced with script that returns the 
value for that DOM object as if it had been accessed in the context of the 
requested site's domain.

If an attacker constructs a page that obfuscates the document.cookie element in 
such a way as to avoid being rewritten by the web VPN, then the document.cookie 
object in the returned page will represent all of the user's cookies for the 
web VPN domain. Included in this document.cookie are the web VPN session ID 
cookie itself and all globally unique cookies set by sites requested through 
the web VPN. The attacker may then use these cookies to hijack the user's VPN 
session and all other sessions accessed through the web VPN that rely on 
cookies for session identification.

Additionally, an attacker could construct a page with two frames: one hidden 
and one that displays a legitimate intranet site. The hidden frame could log 
all keys pressed in the second, benign frame and submit these keypresses as 
parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN 
syntax.

Note that if the VPN server is allowed to connect to arbitrary Internet sites, 
these vulnerabilities can be exploited by any site on the Internet.

II. Impact

By convincing a user to view a specially crafted web page, a remote attacker 
may be able to obtain VPN session tokens and read or modify content (including 
cookies, script, or HTML content) from any site accessed through the clientless 
SSL VPN. This effectively eliminates same origin policy restrictions in all 
browsers. For example, the attacker may be able to capture keystrokes while a 
user is interacting with a web page. Because all content runs at the privilege 
level of the web VPN domain, mechanisms to provide domain-based content 
restrictions, such as Internet Explorer security zones and the Firefox add-on 
NoScript, may be bypassed. For additional information about impacts, please see 
CERT Advisory CA-2000-02.

III. Solution

There is no solution to this problem. Depending on their specific configuration 
and location in the network these devices may be impossible to operate 
securely. Administrators are encouraged to view the below workarounds and see 
the systems affected section of this document for more information about 
specific vendors.


Limit URL rewriting to trusted domains

If supported by the VPN server, URLs should only be rewritten for trusted 
internal sites. All other sites and domains should not be accessible through 
the VPN server.

Since an attacker only needs to convince a user to visit web page being viewed
through the VPN to exploit this vulnerability, this workaround is likely to be 
less effective if there are a large number of hosts or domains that can be 
accessed through the VPN server. When deciding which sites can be visited 
through use of the VPN server, it is important to remember that all allowed 
sites will operate within the same security context in the web browser.

Limit VPN server network connectivity to trusted domains

It may be possible to configure the VPN device to only access specific network 
domains. This restriction may also be possible by using firewall rules.

Disable URL hiding features

Obfuscating URLs hides the destination page from the end user. This feature can 
be used by an attacker to hide the destination page of any links they send. For 
example, https://<vpn.example.com>/attack-site.com vs 
https://<vpn.example.com>/778928801

Systems Affected

Vendor				Status		Date Notified	Date Updated
3com Inc			Unknown		2009-10-19	2009-10-19
ACCESS				Unknown		2009-10-19	2009-10-19
aep NETWORKS			Unknown		2009-11-06	2009-11-06
Alcatel-Lucent			Unknown		2009-10-19	2009-10-19
Avaya, Inc.			Unknown		2009-10-19	2009-10-19
Barracuda Networks		Unknown		2009-09-24	2009-12-04
Check Point Software Tech.	Vulnerable	2009-09-15	2009-12-16
Cisco Systems, Inc.		Vulnerable	2009-09-24	2009-12-04
Citrix				Vulnerable	2009-09-24	2009-12-16
Computer Associates		Not Vulnerable	2009-10-19	2009-12-04
Conectiva Inc.			Unknown		2009-10-19	2009-10-19
D-Link Systems, Inc.		Unknown		2009-10-19	2009-10-19
Debian GNU/Linux		Unknown		2009-10-19	2009-10-19
DragonFly BSD Project		Unknown		2009-10-19	2009-10-19
EMC Corporation			Unknown		2009-10-19	2009-10-19
Engarde Secure Linux		Unknown		2009-10-19	2009-10-19
Enterasys Networks		Unknown		2009-10-19	2009-10-19
Ericsson			Unknown		2009-10-19	2009-10-19
eSoft, Inc.			Unknown		2009-10-19	2009-10-19
Extreme Networks		Not Vulnerable	2009-10-19	2009-12-04
F5 Networks, Inc.		Unknown		2009-09-16	2009-09-16
Fedora Project			Not Vulnerable	2009-10-19	2009-12-04
Force10 Networks, Inc.		Unknown		2009-10-19	2009-10-19
Fortinet, Inc.			Unknown		2009-10-19	2009-10-19
Foundry Networks, Inc.		Unknown		2009-10-19	2009-10-19
FreeBSD, Inc.			Unknown		2009-10-19	2009-10-19
Fujitsu				Unknown		2009-10-19	2009-10-19
Gentoo Linux			Unknown		2009-10-19	2009-10-19
Global Technology Associates	Unknown		2009-10-19	2009-10-19
Hewlett-Packard Company		Unknown		2009-10-19	2009-10-19
Hitachi				Unknown		2009-10-19	2009-10-19
IBM Corporation			Unknown		2009-10-19	2009-10-19
IBM eServer			Unknown		2009-10-19	2009-10-19
Infoblox			Unknown		2009-10-19	2009-10-19
Intel Corporation		Not Vulnerable	2009-10-19	2009-12-04
Internet Security Systems, Inc.	Not Vulnerable	2009-10-19	2009-12-15
Intoto				Unknown		2009-10-19	2009-10-19
IP Filter			Unknown		2009-10-19	2009-10-19
IP Infusion, Inc.		Unknown		2009-10-19	2009-10-19
Juniper Networks, Inc.		Vulnerable	2009-09-24	2009-12-03
Kerio Technologies		Not Vulnerable	2009-09-24	2009-10-01
Luminous Networks		Unknown		2009-10-19	2009-10-19
m0n0wall			Unknown		2009-10-19	2009-10-19
Mandriva S. A.			Unknown		2009-10-19	2009-10-19
McAfee				Not Vulnerable	2009-09-15	2009-12-04
Microsoft Corporation		Vulnerable	2009-09-24	2009-12-07
MontaVista Software, Inc.	Unknown		2009-10-19	2009-10-19
Multitech, Inc.			Unknown		2009-10-19	2009-10-19
NEC Corporation			Unknown		2009-10-19	2009-10-19
NetApp				Unknown		2009-10-19	2009-10-19
NetBSD				Unknown		2009-10-19	2009-10-19
netfilter			Unknown		2009-10-19	2009-10-19
Netgear, Inc.			Unknown		2009-10-20	2009-10-20
Nokia				Unknown		2009-10-19	2009-10-19
Nortel Networks, Inc.		Vulnerable	2009-10-19	2009-12-16
Novell, Inc.			Not Vulnerable	2009-09-24	2009-12-04
OpenBSD				Unknown		2009-10-19	2009-10-19
OpenVPN Technologies		Unknown		2009-11-13	2009-11-13
Openwall GNU/*/Linux		Unknown		2009-10-19	2009-10-19
PePLink				Not Vulnerable	2009-10-19	2009-12-04
Process Software		Unknown		2009-10-19	2009-10-19
Q1 Labs				Not Vulnerable	2009-10-19	2009-12-04
QNX Software Systems Inc.	Unknown		2009-10-19	2009-10-19
Quagga				Unknown		2009-10-19	2009-10-19
RadWare, Inc.			Unknown		2009-10-19	2009-10-19
Red Hat, Inc.			Not Vulnerable	2009-10-19	2009-12-04
Redback Networks, Inc.		Unknown		2009-10-19	2009-10-19
SafeNet				Vulnerable	2009-10-19	2009-12-03
Secureworx, Inc.		Unknown		2009-10-19	2009-10-19
Silicon Graphics, Inc.		Unknown		2009-10-19	2009-10-19
SmoothWall			Unknown		2009-10-19	2009-10-19
Snort				Unknown		2009-10-19	2009-10-19
Soapstone Networks		Unknown		2009-10-19	2009-10-19
SonicWall			Vulnerable	2009-09-15	2009-12-04
Sourcefire			Unknown		2009-10-19	2009-10-19
Stonesoft			Vulnerable	2009-10-19	2009-12-03
Sun Microsystems, Inc.		Vulnerable	2009-10-19	2009-12-08
SUSE Linux			Unknown		2009-10-19	2009-10-19
Symantec			Unknown		2009-09-15	2009-09-15
The SCO Group			Unknown		2009-10-19	2009-10-19
Turbolinux			Unknown		2009-10-19	2009-10-19
U4EA Technologies, Inc.		Unknown		2009-10-19	2009-10-19
Ubuntu				Unknown		2009-10-19	2009-10-19
Unisys				Unknown		2009-10-19	2009-10-19
VMware				Unknown		2009-10-19	2009-10-19
Vyatta				Unknown		2009-10-19	2009-10-19
Watchguard Technologies, Inc.	Unknown		2009-10-19	2009-10-19
Webmin				Not Vulnerable	2009-09-25	2009-10-02
Wind River Systems, Inc.	Unknown		2009-10-19	2009-10-19
ZyXEL				Unknown		2009-10-19	2009-10-19

References

https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
https://developer.mozilla.org/en/DOM/document.cookie
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
http://www.owasp.org/index.php/Category:OWASP_Cookies_Database
http://www.owasp.org/index.php/Testing_for_Session_Management_Schema_(OWASP-SM-001)#Black_Box_Testing_and_Examples
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html#wp1404057
http://seclists.org/fulldisclosure/2006/Jun/238
http://seclists.org/fulldisclosure/2006/Jun/416
http://www.blackhat.com/presentations/bh-usa-08/Zusman/BH_US_08_Zusman_SSL_VPN_Abuse.pdf

Credit

This issue was discovered by David Warren and Ryan Giobbi. Much of the original 
research into this issue was done by Michal Zalewski and Mike Zusman.

This document was written by David Warren and Ryan Giobbi.
Other Information
Date Public:			2009-11-30
Date First Published:		2009-11-30
Date Last Updated:		2009-12-16
CERT Advisory:	 
CVE-ID(s):			CVE-2009-2631
NVD-ID(s):			CVE-2009-2631
US-CERT Technical Alerts:	 
Metric:				45.00
Document Revision:		157

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD4DBQFLKaspNVH5XJJInbgRAjgIAJiwqAm6X1NEqJRRcfvc1dwviX3sAJ9IBjQG
K3lUUe88HUW0gEXOtiAhUA==
=Vd8L
-----END PGP SIGNATURE-----