Attack Hitting Virtual Private Networks & How to Protect Yourself

networkVirtual private network (VPN) software from Cisco, Juniper and other multiple vendors are concerned for a new vulnerability that makes a big number of customers at Risk this is according to a Monday report issued by US-CERT.

Clientless SSL VPN is used to provide internal network access over web browser to several resources such as corporate email server or application servers. The Bug allows an attacker to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content), monitor keystrokes of more than 90 + companies including Cisco, Juniper, SafeNet, and Sonic Wall.

Currently there is no solution to this problem but to mitigate the risk we can do the following:

1- Limit URL rewriting to trusted domains If supported by the VPN server, URLs should only be rewritten for trusted internal sites.
All other sites and domains should not be accessible through the VPN server.Since an attacker only needs to convince a user to visit web page being viewed through the VPN to exploit this vulnerability, this workaround is likely to be less effective if there are a large number of hosts or domains that can be accessed through the VPN server. When deciding which sites can be visited through use of the VPN server, it is important to remember that all allowed sites will operate within the same security context in the web browser.

2- Limit VPN server network connectivity to trusted domains It may be possible to configure the VPN device to only access specific network domains. This restriction may also be possible by using firewall rules.

3- Disable URL hiding featuresObfuscating URLs hides the destination page from the end user. This feature can be used by an attacker to hide the destination page of any links they send. For example, https:/// vs https:///778928801

On the other hand It is very important to contact the vendor to ask if the gap already exist and if there is a patch to apply for this Bug.

US-CERT report can be found here.

make sure you subscribe to my RSS feed!