US-CERT has issued a vulnerability note that should worry anybody who relies on SSL VPN products to establish secure web sessions. SSL VPN is a very common method of establishing a secure connection between two remote sites over an Internet connection, where the user connects only through a standard web browser, without the need for any client software. It’s gained popularity because of its simplicity, and because of its clientless nature, it allows for easy, anywhere connectivity. It is commonly used in Internet commerce, and sometimes in cloud-based or remote email.
According to CERT though, many of the commercially available SSL VPN products bypass the security that exists in the web browser, and this could create a security problem. The problem revolves around the “same origin” policy enforced by standard web browsers, which enforce a rule that prohibits active content from accessing data from an external site. However, some of the SSL VPN products do take content from multiple sites, then present it as coming from the SSL VPN by rewriting the URLs that come from the VPN. It would be possible for example, for an attacker to lure a user to a rogue web page, gain access to the VPN session token, and alter content. It would be possible for such an attacker to, for example, use that malicious web page to launch an attack that could capture keystrokes from remote users.
The vulnerability is mostly theoretical, and whether you are vulnerable really depends on how you’ve configured your SSL VPN. It’s important not to take the SSL VPN warning as an indication that you shouldn’t use SSL VPN–such an indication would be unnecessary, and would have a dramatic impact on e-commerce as we know it.
According to CERT, there is no immediate solution to the problem, but there are three workaround solutions: (1) Limit URL rewriting to trusted domains, (2) limit VPN server network connectivity to trusted domains, and (3) disable URL hiding features. In limiting URL rewriting to trusted domains, most firewalls will allow policy rules to be set to accommodate this neeed, so the VPN can only access specific domains.