Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
US-CERT this week warned of a vulnerability that impacts a host of clientless SSL VPN products and could lead to bypassed authentication and other internet attacks.Clientless SSL products provide web-based access to intranet sites, internal file shares and remote desktops, without needing to install a traditional VPN client. Many of these products operate in a way that bypasses fundamental web browser domain-based security mechanisms, US-CERT said. Products from Cisco, Citrix, McAfee, Intel and a number of other vendors are affected. The security mechanism that is bypassed is the same-origin policy, which is enforced by web browsers to prevent active content, such as JavaScript, hosted on one site from accessing or modifying data on a different site. Many clientless VPN products retrieve content from different sites and then present that content as coming from the SSL VPN, circumventing the same-origin restrictions. Because of the vulnerability, an attacker could create a malicious page that, when viewed through the clientless VPN, could be used to hijack a user's session or capture keystrokes. Through a specially crafted web page, an attacker could retrieve all cookies set by sites requested through the clientless VPN and then use those cookies to “hijack the user's VPN session and all other sessions accessed through the web (clientless) VPN that rely on cookies for session identification,” the US-CERT said. Also, an attacker could construct a page with a hidden frame that could log a user's keystrokes. “There is no solution to this problem,” the US-CERT said in its advisory. “Depending on their specific configuration and location in the network, these devices may be impossible to operate securely.”The US-CERT offered a number of workarounds, such as limiting URL rewriting or VPN server network connectivity to only trusted domains, or disabling URL hiding features. See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.