Vulnerability CVE-2009-2631
Published: 2009-12-04   Modified: 2012-02-13

Description:
Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Same-origin policy bypass vulnerabilities in several VPN
Juha-Matti Lauri...
08.12.2009

Type:

CWE-264

 (Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Stonesoft -> Stonegate 
Sonicwall -> E-class ssl vpn 
Sonicwall -> Ssl vpn 
Cisco -> Adaptive security appliance 
Aladdin -> Safenet securewire access gateway 

 References:
http://kb.juniper.net/KB15799
http://seclists.org/fulldisclosure/2006/Jun/238
http://seclists.org/fulldisclosure/2006/Jun/269
http://seclists.org/fulldisclosure/2006/Jun/270
http://securitytracker.com/id?1023255
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=984744
http://www.kb.cert.org/vuls/id/261869
http://www.securityfocus.com/archive/1/508164/100/0/threaded
http://www.securityfocus.com/bid/37152
http://www.sonicwall.com/us/2123_14882.html
http://www.sonicwall.com/us/2123_14883.html
http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html
http://www.vupen.com/english/advisories/2009/3567
http://www.vupen.com/english/advisories/2009/3568
http://www.vupen.com/english/advisories/2009/3569
http://www.vupen.com/english/advisories/2009/3570
http://www.vupen.com/english/advisories/2009/3571
http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/50/025367-01.pdf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54523
Copyright 2024, cxsecurity.com

 

Back to Top