Clientless SSL products provide web-based access to intranet sites, internal file shares and remote desktops, without needing to install a traditional VPN client.
Many of these products operate in a way that bypasses fundamental web browser domain-based security mechanisms, US-CERT said. Products from Cisco, Citrix, McAfee, Intel and a number of other vendors are affected.
Because of the vulnerability, an attacker could create a malicious page that, when viewed through the clientless VPN, be used to hijack a user's session or capture keystrokes.Through a specially crafted web page, an attacker could retrieve all cookies set by sites requested through the clientless VPN and then use those cookies to “hijack the user's VPN session and all other sessions accessed through the web (clientless) VPN that rely on cookies for session identification,” the US-CERT said. Also, an attacker could construct a page with a hidden frame that could log a user's keystrokes.
“There is no solution to this problem,” the US-CERT said in its advisory. “Depending on their specific configuration and location in the network, these devices may be impossible to operate securely.”
The US-CERT offered a number of workarounds, such as limiting URL rewriting or VPN server network connectivity to only trusted domains, or disabling URL hiding features.