Several solutions for client-free VPN over SSL is vulnerable, among them Cisco, Juniper and SonicWall.
VPN (virtual private network) is a bag term for solutions that will give users secure access to internal company resources and services over a standard internet connection. A VPN session starts with the system approves the user's credentials, and provide so that all further traffic going in an encrypted tunnel.
A typical VPN solution requires a special client on the user's computer. This can be challenging to configure. As an alternative, therefore, the client is offered free VPN solutions. It required nothing more than a web browser. The authentication and traffic runs over SSL, just as with online banking.
There are a bunch of opinion in the security environments that the client freely VPN tend to sacrifice safety for convenience altar. It therefore warned against offering too many services through SSL VPN.
The United States notification service US-Cert published yesterday a warning that highlights the limitations of SSL VPN: Client Less SSL VPN products break web browser domain-based security models.
The warning notes that the SSL VPN violates a basic security model for web browsers, and explains how an attacker can exploit this, both to capture the user's VPN connection and to create access to the internal resources and everything else that the company offers its users through SSL VPN.
US-Cert publish a list of 90 suppliers of solutions for VPN over SSL.
Four of those affected by the current vulnerability: Cisco, Juniper, SafeNet and SonicWall. 9 is not affected: CA, Extreme Networks, Fedora, Kerio, McAfee, Novell, Peplink, Red Hat and Webmin. For the rest, including Avaya, Checkpoint, Citrix, D-Link. Debian, EMC, F5, HP, Hitachi, IBM, Intel, Mandriva, Microsoft, NEC, NetApp, Nokia, Nortel, Source Fire, Sun, SUSE, Symantec, Ubuntu and VMware, is the status given as "unknown". It is expected that this will be solved soon.
Menlologic use this diagram to explain what kind of internal services can be offered through their SSL VPN. (Sketch: Menlologic)
The security model that is lost is known as the same origin policy. The point of this model is to prevent a document or a downloaded script from a website from to obtain or change the properties of which comes from another site. Downloaded items from two different sites should therefore be kept strictly separate. The rule implies that the elements can only be said to come from the same site if both the protocol, host and optionally specified port is identical.
This means that http://place.com considered a different site than fttp: / / place.com, because the protocol is different. Similarly, perceived http://www.place.com that another site than http://news.place.com, because the host is another.
This makes SSL VPN to a problem, because the services they wish to provide users often have their origins in these rules perceive as different locations. Since the rules are embedded in the browser, you must use a mechanism to circumvent them.
That's the way this bypassing of the "same origin policy" going on that make up the vulnerability, according to US-Cert: Man uses cookies ( "Cookies") to trick the browser into thinking that all VPN traffic goes to the same site, although in practice involves different protocols and hosts.
That means that all key information about the current VPN session specified in these cookies, including VPN session unique ID. According to US-Cert, it is possible for an attacker to obtain this information by tricking a potential victim to visit a site that is designed in a special way. If that happens, someone could obtain not only the cookie with the VPN session unique ID, but also all unique cookies that will be left of all the sites that the user visits through a VPN. Mon hijacker Thus, the victim's identity, and none of the internal services of the VPN one can distinguish between the legitimate and the illegitimate user. A skilled attacker will also be able to exploit the vulnerability to capture keystrokes on the user's machine.
US-Cert notes that the VPN servers often have permission to connect to arbitrary websites. In such cases, the vulnerability is exploited from any site worldwide.
When the injury first happened, hit the second of the browser's security mechanisms than the "same origin policy". One uses VPN, all content is made available on the same privilege level as the VPN domain. That means, among other things, that Internet Explorer's arrangement with the security zones be taken out of games, like the NoScript extension to Firefox.
According to US-Cert is no solution to this problem, and it may be impossible to achieve a satisfactory level of security through SSL VPN.
Some measures may limit the risk.
The most obvious is to limit the VPN server's rewrite of the URL is to only apply to secure internal Web sites. The more hosts and domains that need to get their addresses written about, the less effective is this measure. This is an argument to restrict the service captured through SSL VPN.
Another measure is to limit the VPN functionality of a small number of specified domains.
