06. December 2009 · Comments Off on Clientless SSL VPN design officially acknowledged as a vulnerability · Categories: Application Security, Secure Browsing, Vendor Liability · Tags: , , ,

On November 30, 2009, the US-CERT classified the design of the popular Clientless SSL VPN class of products as a vulnerability – US-CERT Vulnerability Note VU#261869. In other words, the method by which Clientless SSL VPNs work creates a vulnerability for which there is no direct fix. The issue is that Clientless SSL VPNs, by design, subvert the "same origin policy" of web browser programming languages. The policy is described here and here.

This is by no means the first time this vulnerability has been written about – see Michal Zalewski's article of June 6, 2006, which provides a lucid attack example. Cisco acknowledged MZ's references to Cisco's SSL VPN here.

All software products contain security flaws. Most of them are implementation bugs that are more or less straightforwardly fixed in a patch or a new release. Occasionally a vulnerability is the result of a design flaw. However, this is the first time that I am aware of when a security product class is architecturally flawed at it's design level.