A vulnerability has been detected that applies to SSL products that use the SSL URL rewriting technique as a means of accessing web-based trusted resources directly from a browser.
The United States computer emergency readiness team (US-CERT) has provided a report on the vulnerability, which claimed that an attacker could use SSL VPN devices to bypass authentication or conduct other web-based attacks.
It said: “If an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user's cookies for the web VPN domain.
“Included in this document.cookie are the web VPN session ID cookie itself and all globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user's VPN session and all other sessions accessed through the web VPN that rely on cookies for session identification.
“Additionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site. The hidden frame could log all keys pressed in the second, benign frame and submit these keystrokes as parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN syntax.”
An attacker, by convincing a user to view a specially crafted web page, may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN.
Currently, there is no known fix and a number of systems are affected. Eric Aarrestad, VP of marketing at WatchGuard Technologies, said: “As mobile workers rely on SSL VPN technology to securely connect to their remote offices or corporate networks, they need reliable connectivity solutions that are free from hackers.
“Unlike customers who rely on networking vendors to provide network security, WatchGuard customers can rest assured knowing that their remote and mobile employees can safely and securely connect to mission critical networks, applications and data without exposing their business to undue risks.”