US-CERT is now warning against a potentially dangerous flaw in the SSL-VPN implementations from over two dozen vendors including industry giant Cisco.
“Clientless SSL VPN products from multiple vendors operate in a way that
breaks fundamental browser security mechanisms,” US-CERT warns. “An attacker could use
these devices to bypass authentication or conduct other web-based
Sounds scary doesn’t it? But I’m not so sure we all need to run for the hills and abandon SSL-VPNs (yet).
At issue is the same origin policy that all modern web browser use. Same origin is basically an attempt to limit the resources that can access data from a particular site. That is, you generally don’t want one site having access to the other sites you have open.
Now the idea of bypassing same origin policy is not new and is at the root of many cross-site request forgery, clickjacking and cross site scripting attacks.
The problem is that with many clientless SSL-VPN implementations, users could potentially be free to visit any site they want. Since they’ve logged into their VPNs and potentially have access to VPN resources such as files shares etc, then all of that could potentially be at risk, if the same origin policy is violated.