Date: 17 December 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1660
Clientless SSL VPN products break web browser domain-based security models
17 December 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Clientless SSL VPN products
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Unauthorised Access -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2009-2631
Original Bulletin:
http://www.kb.cert.org/vuls/id/261869
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#261869
Clientless SSL VPN products break web browser domain-based security models
Overview
Clientless SSL VPN products from multiple vendors operate in a way that breaks
fundamental browser security mechanisms. An attacker could use these devices to
bypass authentication or conduct other web-based attacks.
I. Description
Web browsers enforce the same origin policy to prevent one site's active content
(such as JavaScript) from accessing or modifying another site's data. For
instance, active content hosted at http://<example.com>/page1.html can access
DOM objects on http://<example.com>/page2.html, but cannot access objects
hosted at http://<example.net>/page.html. Many clientless SSL VPN products
retrieve content from different sites, then present that content as coming from
the SSL VPN, effectively circumventing browser same origin restrictions.
Clientless SSL VPNs provide browser-based access to internal and external
resources without the need to install a traditional VPN client. Typically,
these web VPNs are used to access intranet sites (such as an internal webmail
server), but many have more capabilities, such as providing access to internal
fileshares and remote desktop capabilities. To connect to a VPN, a web browser
is used to authenticate to the web VPN, then the web VPN retrieves and presents
the content from the requested pages.
Web VPN servers interact with clients using a process similar to what is
described below:
1. The user presents credentials to the web VPN using a web browser. The
authentication can be done through username and password submission, or
can involve multi-factor authentication.
2. The web VPN authenticates the user and assigns an ID to the session,
which is sent to the user's browser in the form of a cookie.
3. The user can then browse internal resources, such as a webmail server or
intranet webserver. URLs as viewed by the user's web browser may be
similar to https://<webvpnserver>/www.intranet.example.com
As the web VPN retrieves web pages, it rewrites hyperlinks so that they are
accessible through the web VPN. For example, a link to
http://<www.intranet.example.com>/mail.html becomes
https://<webvpnserver>/www.intranet.example.com/mail.html. Cookies set by the
requested webserver are converted into globally unique cookies before being
passed to the user's browser, which prevents collision between two identically
named cookies from different requested domains. For example, a sessionid cookie
st by intranet.example.com could be renamed to intranet.example.com_sessionid
before it is sent from the web VPN to the user's browser . Additionally, the
web VPN replaces references to specific HTML DOM objects, such as
document.cookie. These DOM objects are replaced with script that returns the
value for that DOM object as if it had been accessed in the context of the
requested site's domain.
If an attacker constructs a page that obfuscates the document.cookie element in
such a way as to avoid being rewritten by the web VPN, then the document.cookie
object in the returned page will represent all of the user's cookies for the
web VPN domain. Included in this document.cookie are the web VPN session ID
cookie itself and all globally unique cookies set by sites requested through
the web VPN. The attacker may then use these cookies to hijack the user's VPN
session and all other sessions accessed through the web VPN that rely on
cookies for session identification.
Additionally, an attacker could construct a page with two frames: one hidden
and one that displays a legitimate intranet site. The hidden frame could log
all keys pressed in the second, benign frame and submit these keypresses as
parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN
syntax.
Note that if the VPN server is allowed to connect to arbitrary Internet sites,
these vulnerabilities can be exploited by any site on the Internet.
II. Impact
By convincing a user to view a specially crafted web page, a remote attacker
may be able to obtain VPN session tokens and read or modify content (including
cookies, script, or HTML content) from any site accessed through the clientless
SSL VPN. This effectively eliminates same origin policy restrictions in all
browsers. For example, the attacker may be able to capture keystrokes while a
user is interacting with a web page. Because all content runs at the privilege
level of the web VPN domain, mechanisms to provide domain-based content
restrictions, such as Internet Explorer security zones and the Firefox add-on
NoScript, may be bypassed. For additional information about impacts, please see
CERT Advisory CA-2000-02.
III. Solution
There is no solution to this problem. Depending on their specific configuration
and location in the network these devices may be impossible to operate
securely. Administrators are encouraged to view the below workarounds and see
the systems affected section of this document for more information about
specific vendors.
Limit URL rewriting to trusted domains
If supported by the VPN server, URLs should only be rewritten for trusted
internal sites. All other sites and domains should not be accessible through
the VPN server.
Since an attacker only needs to convince a user to visit web page being viewed
through the VPN to exploit this vulnerability, this workaround is likely to be
less effective if there are a large number of hosts or domains that can be
accessed through the VPN server. When deciding which sites can be visited
through use of the VPN server, it is important to remember that all allowed
sites will operate within the same security context in the web browser.
Limit VPN server network connectivity to trusted domains
It may be possible to configure the VPN device to only access specific network
domains. This restriction may also be possible by using firewall rules.
Disable URL hiding features
Obfuscating URLs hides the destination page from the end user. This feature can
be used by an attacker to hide the destination page of any links they send. For
example, https://<vpn.example.com>/attack-site.com vs
https://<vpn.example.com>/778928801
Systems Affected
Vendor Status Date Notified Date Updated
3com Inc Unknown 2009-10-19 2009-10-19
ACCESS Unknown 2009-10-19 2009-10-19
aep NETWORKS Unknown 2009-11-06 2009-11-06
Alcatel-Lucent Unknown 2009-10-19 2009-10-19
Avaya, Inc. Unknown 2009-10-19 2009-10-19
Barracuda Networks Unknown 2009-09-24 2009-12-04
Check Point Software Tech. Vulnerable 2009-09-15 2009-12-16
Cisco Systems, Inc. Vulnerable 2009-09-24 2009-12-04
Citrix Vulnerable 2009-09-24 2009-12-16
Computer Associates Not Vulnerable 2009-10-19 2009-12-04
Conectiva Inc. Unknown 2009-10-19 2009-10-19
D-Link Systems, Inc. Unknown 2009-10-19 2009-10-19
Debian GNU/Linux Unknown 2009-10-19 2009-10-19
DragonFly BSD Project Unknown 2009-10-19 2009-10-19
EMC Corporation Unknown 2009-10-19 2009-10-19
Engarde Secure Linux Unknown 2009-10-19 2009-10-19
Enterasys Networks Unknown 2009-10-19 2009-10-19
Ericsson Unknown 2009-10-19 2009-10-19
eSoft, Inc. Unknown 2009-10-19 2009-10-19
Extreme Networks Not Vulnerable 2009-10-19 2009-12-04
F5 Networks, Inc. Unknown 2009-09-16 2009-09-16
Fedora Project Not Vulnerable 2009-10-19 2009-12-04
Force10 Networks, Inc. Unknown 2009-10-19 2009-10-19
Fortinet, Inc. Unknown 2009-10-19 2009-10-19
Foundry Networks, Inc. Unknown 2009-10-19 2009-10-19
FreeBSD, Inc. Unknown 2009-10-19 2009-10-19
Fujitsu Unknown 2009-10-19 2009-10-19
Gentoo Linux Unknown 2009-10-19 2009-10-19
Global Technology Associates Unknown 2009-10-19 2009-10-19
Hewlett-Packard Company Unknown 2009-10-19 2009-10-19
Hitachi Unknown 2009-10-19 2009-10-19
IBM Corporation Unknown 2009-10-19 2009-10-19
IBM eServer Unknown 2009-10-19 2009-10-19
Infoblox Unknown 2009-10-19 2009-10-19
Intel Corporation Not Vulnerable 2009-10-19 2009-12-04
Internet Security Systems, Inc. Not Vulnerable 2009-10-19 2009-12-15
Intoto Unknown 2009-10-19 2009-10-19
IP Filter Unknown 2009-10-19 2009-10-19
IP Infusion, Inc. Unknown 2009-10-19 2009-10-19
Juniper Networks, Inc. Vulnerable 2009-09-24 2009-12-03
Kerio Technologies Not Vulnerable 2009-09-24 2009-10-01
Luminous Networks Unknown 2009-10-19 2009-10-19
m0n0wall Unknown 2009-10-19 2009-10-19
Mandriva S. A. Unknown 2009-10-19 2009-10-19
McAfee Not Vulnerable 2009-09-15 2009-12-04
Microsoft Corporation Vulnerable 2009-09-24 2009-12-07
MontaVista Software, Inc. Unknown 2009-10-19 2009-10-19
Multitech, Inc. Unknown 2009-10-19 2009-10-19
NEC Corporation Unknown 2009-10-19 2009-10-19
NetApp Unknown 2009-10-19 2009-10-19
NetBSD Unknown 2009-10-19 2009-10-19
netfilter Unknown 2009-10-19 2009-10-19
Netgear, Inc. Unknown 2009-10-20 2009-10-20
Nokia Unknown 2009-10-19 2009-10-19
Nortel Networks, Inc. Vulnerable 2009-10-19 2009-12-16
Novell, Inc. Not Vulnerable 2009-09-24 2009-12-04
OpenBSD Unknown 2009-10-19 2009-10-19
OpenVPN Technologies Unknown 2009-11-13 2009-11-13
Openwall GNU/*/Linux Unknown 2009-10-19 2009-10-19
PePLink Not Vulnerable 2009-10-19 2009-12-04
Process Software Unknown 2009-10-19 2009-10-19
Q1 Labs Not Vulnerable 2009-10-19 2009-12-04
QNX Software Systems Inc. Unknown 2009-10-19 2009-10-19
Quagga Unknown 2009-10-19 2009-10-19
RadWare, Inc. Unknown 2009-10-19 2009-10-19
Red Hat, Inc. Not Vulnerable 2009-10-19 2009-12-04
Redback Networks, Inc. Unknown 2009-10-19 2009-10-19
SafeNet Vulnerable 2009-10-19 2009-12-03
Secureworx, Inc. Unknown 2009-10-19 2009-10-19
Silicon Graphics, Inc. Unknown 2009-10-19 2009-10-19
SmoothWall Unknown 2009-10-19 2009-10-19
Snort Unknown 2009-10-19 2009-10-19
Soapstone Networks Unknown 2009-10-19 2009-10-19
SonicWall Vulnerable 2009-09-15 2009-12-04
Sourcefire Unknown 2009-10-19 2009-10-19
Stonesoft Vulnerable 2009-10-19 2009-12-03
Sun Microsystems, Inc. Vulnerable 2009-10-19 2009-12-08
SUSE Linux Unknown 2009-10-19 2009-10-19
Symantec Unknown 2009-09-15 2009-09-15
The SCO Group Unknown 2009-10-19 2009-10-19
Turbolinux Unknown 2009-10-19 2009-10-19
U4EA Technologies, Inc. Unknown 2009-10-19 2009-10-19
Ubuntu Unknown 2009-10-19 2009-10-19
Unisys Unknown 2009-10-19 2009-10-19
VMware Unknown 2009-10-19 2009-10-19
Vyatta Unknown 2009-10-19 2009-10-19
Watchguard Technologies, Inc. Unknown 2009-10-19 2009-10-19
Webmin Not Vulnerable 2009-09-25 2009-10-02
Wind River Systems, Inc. Unknown 2009-10-19 2009-10-19
ZyXEL Unknown 2009-10-19 2009-10-19
References
https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
https://developer.mozilla.org/en/DOM/document.cookie
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
http://www.owasp.org/index.php/Category:OWASP_Cookies_Database
http://www.owasp.org/index.php/Testing_for_Session_Management_Schema_(OWASP-SM-001)#Black_Box_Testing_and_Examples
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html#wp1404057
http://seclists.org/fulldisclosure/2006/Jun/238
http://seclists.org/fulldisclosure/2006/Jun/416
http://www.blackhat.com/presentations/bh-usa-08/Zusman/BH_US_08_Zusman_SSL_VPN_Abuse.pdf
Credit
This issue was discovered by David Warren and Ryan Giobbi. Much of the original
research into this issue was done by Michal Zalewski and Mike Zusman.
This document was written by David Warren and Ryan Giobbi.
Other Information
Date Public: 2009-11-30
Date First Published: 2009-11-30
Date Last Updated: 2009-12-16
CERT Advisory:
CVE-ID(s): CVE-2009-2631
NVD-ID(s): CVE-2009-2631
US-CERT Technical Alerts:
Metric: 45.00
Document Revision: 157
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD4DBQFLKaspNVH5XJJInbgRAjgIAJiwqAm6X1NEqJRRcfvc1dwviX3sAJ9IBjQG
K3lUUe88HUW0gEXOtiAhUA==
=Vd8L
-----END PGP SIGNATURE-----
|