<<< Date Index >>>     <<< Thread Index >>>

SSL VPNs and security



"Web VPN" or "SSL VPN" is a term used to denote methods for accessing
company's internal applications with a bare WWW browser, with the use of
browser-based SSO authentication and SSL tunneling. As opposed to IPSec,
no additional software or configuration is required, and hence, corporate
users can use pretty much any computer they can put their hands on.

  [ Yes, this is a very bad idea, but often also a perceived business
    necessity. To counter the risk, some SSL VPN solutions may perform
    client-side security checks with the aid of an applet or control "not
    marked as safe". This is, of course, a silly and bypassable design,
    and has a side effect of teaching the user to click "yes" on
    scripting safety prompts. But I digress... ]

  [ These solutions are sold, among others, by Juniper, Nortel, Nokia,
    Cisco. The following observations are based on Cisco Web VPN (and your
    mileage with this and other vendors may vary).

In their most basic operating mode, SSL VPN systems simply act as a HTTPS
authentication and authorization proxy that relies on session cookies, and
a URI-based request rewriting and forwarding engine. Such a configuration
enables the user to access any HTTP or HTTPS based Intranet applications;
web-based clients for some other protocols are also sometimes included.

  [ With the help of various controls and applets again "not marked as
    safe", SSL VPNs can also forward local TCP ports through that tunnel,
    if unsupported network protocols need to be used. ]

A good example: let's say there's an user who wishes to access his
corporate Outlook Web Access interface from a remote location. The usual
URL for the intranet service is:

  http://owa/exchange/lcamtuf/inbox

To access it over the Internet, that fellow needs to navigate to
https://webvpn.foocorp.com/, enter his credentials, collect a session
cookie, and then go to (or be redirected to) something along the lines of:

  https://webvpn.foocorp.com/http/0/owa/exchange/lcamtuf/inbox

...which, if the cookie validates, would be translated to the original URL
and allowed to go through, with SSL VPN acting as a proxy.

Commercial SSL VPNs are a fairly recent technology that has a considerable
appeal to various corporations. Because of its novelty, however, in a
typical setup it may be subject to several serious security flaws, unless
very carefully designed.

Possibly the most important problem is that web VPNs break the customary
browser security model that relies on domain name separation for the
purpose of restricting access to cookies and other objects. Browsers
generally allow "foo.com" to interact with own cookies or windows, but
prevent the site from accessing resources related to "bar.com". Yet
through SSL VPN, they all may look the same:

  https://webvpn.foocorp.com/http/0/foo.com/serious_work
  https://webvpn.foocorp.com/http/0/bar.com/fun_and_games

Because of this design, all pages displayed through a Web VPN interface
are lumped together. Whenever a page (or just a HTML fragment) that can be
controlled by the attacker is displayed by *any* of the applications
behind Web VPN, Javascript can access:

  - Web VPN session cookie, which can be then passed to the attacker.
    This is equivalent to the attacker obtaining access to all protected
    systems and compromising Web VPN altogether. The threat could be
    mitigated by associating the cookie with client's IP, but such an
    approach is not always implemented, and is impractical with AOL and
    the likes.

  - Application cookies set by other applications. If passed to the
    browser (as some SSL VPNs do), these cookies are separated by the use
    of "path" parameter alone, which does not necessarily establish a
    browser security domain boundary. This is equivalent to the attacker
    obtaining user credentials to these applications.

Some commonly used corporate applications may indeed serve
attacker-supplied contents, making these attacks virtually inherent to
most SSL VPN deployments:

  - Various web mail systems, such as Outlook Web Access (OWA),
    may serve HTML attachments and other documents received from the
    Internet without providing an adequate browser warning. Although
    this is a security challenge by itself for all web mail interfaces
    (where there is a risk of stealing web mail session coookie),
    the access to all SSL VPN cookies make the impact far more serious.

  - Trivial cross-site scripting flaws in *any* available intranet
    application may compromise the entire SSL VPN. Because these
    applications are usually complex, aplenty, and all under-audited,
    existence of such bugs is pretty much a certainty.

  - Trivial cross-site scripting bug in SSL VPNs themselves may endanger
    the entire system. Impossible? Cisco SSL VPN has this:
    https://<vpnhost>/webvpn/dnserror.html?domain=<u>foo</u>
    (and yes, they seem to be aware of this, but have no specific
    timeline for fixing it - so I suppose it's OK to report it;
    hi Larry Seltzer).

  [ The possibility of allowing Internet access through Web VPN is
    something I wouldn't even consider here. ]

Additional problems may arise when SSL VPN gateway IP is added to "trusted
zone" for the purpose of making certain intranet applications work the way
they worked locally at the office.

Yes, these problems are hardly new, and can be mitigated with some very
careful design, and some vendors may be doing it properly - but I think
that the following needs to be said:

  - SSL VPNs may easily turn negligible and common security issues such as
    XSS into a considerable corporation-wide threat; and preventing this
    is hard.

  - Most SSL VPNs may be "secure by design" only in fairly unrealistic
    situations or limited uses.

  - Unless the vendor takes the effort to precisely and honestly explain
    how they mitigate these specific threats, it is safe to assume they
    might be not doing it properly (or not doing it at all).

Since these issues are generally not seriously discussed by vendors in
assessments of their products (say,
http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html),
I would assume that extreme caution needs to be exercised.


Flame on.

Regards,
/mz