The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Cisco, Juniper, Microsoft, Nortel, Stonesoft: vulnerability of SSL VPN

Synthesis of the vulnerability 

A weakness in the conception of some Clientless SSL VPN products can be used by an attacker in order to obtain information from other web sites visited by the victim.
Vulnerable software: Avaya Ethernet Routing Switch, ASA, IVE OS, Juniper SA, ISA, Nortel ESM, Nortel VPN Router, StoneGate Firewall.
Severity of this announce: 3/4.
Creation date: 09/12/2009.
Références of this computer vulnerability: 025367-01, 19500, 2009009920, 984744, BID-37152, CVE-2009-2631, KB15799, PSN-2009-11-580, VIGILANCE-VUL-9265, VU#261869.

Description of the vulnerability 

Some VPN SSL products setup a SSL proxy where users connect with their web browser. Urls of visited web sites are then rewritten as:
  https://proxy-ssl/origin-site/page.html
So, they seem to be hosted on the https://proxy-ssl/ server.

Web browsers are conceived to partition JavaScript scripts on the domain where they come from. However, when a SSL proxy places different web sites under the same domain, this protection is bypassed, and a malicious JavaScript script can thus access to other web sites.

Some products update the source code of web pages on the fly, in order to replace JavaScript calls. However, an attacker can obfuscate his code so this change cannot be done.

A weakness in the conception of some Clientless SSL VPN products can therefore be used by an attacker in order to obtain information from other web sites visited by the victim.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat note impacts software or systems such as Avaya Ethernet Routing Switch, ASA, IVE OS, Juniper SA, ISA, Nortel ESM, Nortel VPN Router, StoneGate Firewall.

Our Vigil@nce team determined that the severity of this weakness alert is important.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this computer weakness note.

Solutions for this threat 

Cisco: workaround for Clientless SSL VPN.
A workaround is to use the VPN to access to trusted domains only.

Juniper: workaround for Clientless SSL VPN.
The Juniper announce indicates workarounds.

Microsoft: workaround for Clientless SSL VPN.
A workaround is to use the VPN to access to trusted domains only.

Nortel: solution for SSL VPN.
The Nortel announce indicates vulnerable products and their solutions.

Stonesoft: workaround for Clientless SSL VPN.
A workaround is to use Pooled DNS Mapping.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides networks vulnerabilities bulletins. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.