Re: SSL VPNs and security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Michal,
On Thu, Jun 08, 2006 at 10:48:18PM +0200, Michal Zalewski wrote:
[...]
> Commercial SSL VPNs are a fairly recent technology that has a
> considerable appeal to various corporations. Because of its novelty,
> however, in a typical setup it may be subject to several serious
> security flaws, unless very carefully designed.
[...]
> Some commonly used corporate applications may indeed serve
> attacker-supplied contents, making these attacks virtually inherent to
> most SSL VPN deployments:
[...]
> - Trivial cross-site scripting bug in SSL VPNs themselves may endanger
> the entire system. Impossible? Cisco SSL VPN has this:
> https://<vpnhost>/webvpn/dnserror.html?domain=<u>foo</u>
> (and yes, they seem to be aware of this, but have no specific
> timeline for fixing it - so I suppose it's OK to report it;
> hi Larry Seltzer).
Cisco confirms the existence of a Cross-Site Scripting (XSS)
vulnerability in the clientless mode of the WebVPN feature of the Cisco
VPN 3000 Series Concentrators and the Cisco ASA 5500 Series Adaptive
Security Appliances (ASA).
Please note that the technology affected by the XSS vulnerability
is what Cisco calls "WebVPN clientless mode" and not "WebVPN
full-network-access mode", which is a different encrypted tunnel
technology that is more similar to IPSec and that requires the
installation of the Cisco SSL VPN Client.
For a description of the differences between the clientless and
full-network-access modes of Cisco WebVPN please refer to:
http://www.cisco.com/en/US/products/ps6635/products_data_sheet0900aecd80405e25.html
Cisco is tracking this issue using the following Cisco bug IDs:
* CSCsd81095 - VPN3k vulnerable to cross-site scripting when using WebVPN
* CSCse48193 - ASA vulnerable to cross-site scripting when using WebVPN
The vulnerability happens when certain error conditions occur and the
device tries to make the user aware of the problem. Under these error
conditions the WebVPN feature presents the user with an HTML page that
indicates the error and the URL the user was trying to access.
Because the pages displayed also output the URL where the problem
occurred, it is possible to embed scripting code in the URL that can
then be executed by the user's web browser.
You provided the example
"https://<vpnhost>/webvpn/dnserror.html?domain=<u>foo</u>". In this
example, the vulnerability is triggered when the device displays a DNS
resolution problem ("dnserror.html"). The other possible page where this
problem can happen is "connecterror.html", which is displayed when the
device has trouble connecting to the URL specified by the user.
Cisco bugs CSCsd81095 and CSCse48193 will address the issue for all
WebVPN error conditions.
To exploit these issues an attacker would have to entice authenticated
users to follow a specially crafted, malicious URL. A successful attack
would result in the execution of arbitrary script code in the user's web
browser.
As you point out, SSL VPN technologies have their own set of challenges.
The whitepaper on SSL VPN Security that is mentioned in your original
posting is a good resource on this topic that attempts to address the
nature of these challenges and increase awareness. This whitepaper is
located at:
http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html
This issue was independently reported to Cisco by yourself, Michal
Zalewski, and two other customers. We would like to thank all of them
for bringing this issue to our attention.
This response will also be posted to
http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml.
Cheers,
Eloy Paris.-
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEj0YQagjTfAtNY9gRAhH8AKCcaw+gzqS3T3ew6W6GHMrquUl2iwCfQ2tS
EFbbgrjvpgSKD52OtYXgViI=
=u8We
-----END PGP SIGNATURE-----