var-200912-0424
Vulnerability from variot
Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design. An attacker could use these devices to bypass authentication or conduct other web-based attacks. plural SSL VPN (Web VPN) There is a problem with the product that can bypass the security mechanism of the web browser. SL VPN (Web VPN) Network resources within an organization using a web browser ( Web server, mail server, etc. ) It is a product to provide a safe access method. SSL VPN (Web VPN) The product rewrites content as necessary as a proxy between the web browser and the server. SSL VPN (Web VPN) Web browser security mechanisms by accessing crafted web pages through (Same Origin Policy) May be bypassed. SSL VPN (Web VPN) Products that implement may be affected by this vulnerability.When a user views a specially crafted page, a remote third party VPN Or hijacking your session SSL VPN (Web VPN) There is a possibility that the content accessed through the site may be viewed or altered.
Attackers may exploit this issue to violate the same-origin policy to obtain VPN session tokens, read or modify cookie-based authentication credentials, or perform unauthorized actions with the privileges of the web-based VPN domain. Other attacks may also be possible.
Clientless SSL VPN products from Cisco, Juniper Networks, and SonicWall are vulnerable. Other vendors' products may also be affected. We will update this BID as more information emerges. 2. Web VPN authenticates the user and assigns an ID to the session, which is sent to the user's browser in the form of a cookie. 3. For example, http://
SOLUTION: Disable content rewriting for untrusted web servers.
The vulnerability is reported in CallPilot 201i, 202i, 600r, 703t, 1002rp, and 1005r.
SOLUTION: The vendor recommends to avoid browsing other web sites while logged in to CallPilot Manager or My CallPilot. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability intelligence source on the market.
Implement it through Secunia.
For more information visit: http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com
TITLE: Citrix Access Gateway Web VPN Same Origin Policy Bypass
SECUNIA ADVISORY ID: SA37696
VERIFY ADVISORY: http://secunia.com/advisories/37696/
DESCRIPTION: A vulnerability has been reported in Citrix Access Gateway, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to the web-based VPN implementation prepending the same domain to all opened websites. This can be exploited to bypass a browser's same origin policy and e.g. access cookies for normally restricted domains by tricking a user into browsing to a malicious website via the VPN.
The vulnerability is reported in Citrix Access Gateway Enterprise Edition versions 8.1 and later, and all supported Citrix Access Gateway Advanced Edition versions.
SOLUTION: Do not allow access to untrusted domains via the VPN. Please see the vendor's advisory for more information.
PROVIDED AND/OR DISCOVERED BY: US-CERT credits Michal Zalewski and Mike Zusman for the original report.
Additional vulnerability details provided by David Warren and Ryan Giobbi of US-CERT.
ORIGINAL ADVISORY: Citrix: http://support.citrix.com/article/CTX123610
US-CERT VU#261869: http://www.kb.cert.org/vuls/id/261869
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200912-0424",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "*"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 1.0,
"vendor": "stonesoft",
"version": "*"
},
{
"model": "ssl vpn",
"scope": "eq",
"trust": 1.0,
"vendor": "sonicwall",
"version": "*"
},
{
"model": "safenet securewire access gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "aladdin",
"version": "*"
},
{
"model": "e-class ssl vpn",
"scope": "eq",
"trust": 1.0,
"vendor": "sonicwall",
"version": "*"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "check point",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "citrix",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "juniper",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "microsoft",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "nortel",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openvpn",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "safenet",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "sonicwall",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "stonesoft",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "sun microsystems",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "aep",
"version": null
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "cisco",
"version": "vendors ssl vpn product"
},
{
"model": "adaptive security appliance",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.1"
},
{
"model": "java system portal server",
"scope": "eq",
"trust": 0.3,
"vendor": "sun",
"version": "7"
},
{
"model": "networks callpilot 600r",
"scope": null,
"trust": 0.3,
"vendor": "nortel",
"version": null
},
{
"model": "ssl vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "2002.1"
},
{
"model": "secure access",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "25000"
},
{
"model": "clientless ssl vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "secure access",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "600050000"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.1.2"
},
{
"model": "networks callpilot 202i",
"scope": null,
"trust": 0.3,
"vendor": "nortel",
"version": null
},
{
"model": "java system portal server",
"scope": "eq",
"trust": 0.3,
"vendor": "sun",
"version": "6.3.1"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.1.2.25"
},
{
"model": "access gateway enterprise edition",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "9.0"
},
{
"model": "stonegate ssl vpn engine",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.4"
},
{
"model": "netscaler access gateway enterprise edition",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "9.0"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.0(4)"
},
{
"model": "access gateway advanced edition",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "4.5.5"
},
{
"model": "secure access sp",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "60006000"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.0"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.1.2.61"
},
{
"model": "java system portal server",
"scope": "eq",
"trust": 0.3,
"vendor": "sun",
"version": "7.2"
},
{
"model": "networks callpilot 1002rp",
"scope": null,
"trust": 0.3,
"vendor": "nortel",
"version": null
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.1(2)19"
},
{
"model": "sa700 ssl vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "0"
},
{
"model": "ssl-r",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "4.0.18"
},
{
"model": "ssl-vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "20003.55"
},
{
"model": "ssl vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "1.33"
},
{
"model": "secure access",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "65000"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.2.1"
},
{
"model": "secure access",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "7000"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.0.211"
},
{
"model": "ssl-rx",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "4.0.18"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.1(2)14"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.2"
},
{
"model": "netscaler access gateway enterprise edition",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "8.1"
},
{
"model": "ssl-vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "2003.08"
},
{
"model": "ssl vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "2.5"
},
{
"model": "ssl-vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "20003.54"
},
{
"model": "ssl-vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "40003.54"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.0.4.34"
},
{
"model": "stonegate ssl vpn engine",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.1"
},
{
"model": "access gateway advanced edition",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "4.5"
},
{
"model": "access gateway enterprise edition",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "9.1"
},
{
"model": "networks callpilot 1005r",
"scope": null,
"trust": 0.3,
"vendor": "nortel",
"version": null
},
{
"model": "secure access",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "20000"
},
{
"model": "access gateway advanced edition hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "citrix",
"version": "4.5"
},
{
"model": "ssl-vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "2003.09"
},
{
"model": "java system portal server",
"scope": "eq",
"trust": 0.3,
"vendor": "sun",
"version": "7.1"
},
{
"model": "networks callpilot 703t",
"scope": null,
"trust": 0.3,
"vendor": "nortel",
"version": null
},
{
"model": "java system portal server",
"scope": "eq",
"trust": 0.3,
"vendor": "sun",
"version": "7.0"
},
{
"model": "networks callpilot 201i",
"scope": null,
"trust": 0.3,
"vendor": "nortel",
"version": null
},
{
"model": "ssl-r3",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "4.0.18"
},
{
"model": "ssl-vpn",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "40003.55"
},
{
"model": "secure access",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "45000"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.2.2.34"
},
{
"model": "stonegate ssl vpn engine",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.3.1"
},
{
"model": "secure access",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "400030000"
},
{
"model": "ssl-r6",
"scope": "eq",
"trust": 0.3,
"vendor": "sonicwall",
"version": "4.0.18"
},
{
"model": "adaptive security appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.2.13"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#261869"
},
{
"db": "BID",
"id": "37152"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:cisco:adaptive_security_appliance:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:sonicwall:e-class_ssl_vpn:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:sonicwall:ssl_vpn:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:stonesoft:stonegate:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:aladdin:safenet_securewire_access_gateway:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2009-2631"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Michal Zalewski\u203b lcamtuf@echelon.pl",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
],
"trust": 0.6
},
"cve": "CVE-2009-2631",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CARNEGIE MELLON",
"availabilityImpact": "PARTIAL",
"availabilityRequirement": "NOT DEFINED",
"baseScore": 6.8,
"collateralDamagePotential": "NOT DEFINED",
"confidentialityImpact": "PARTIAL",
"confidentialityRequirement": "NOT DEFINED",
"enviromentalScore": 4.6,
"exploitability": "PROOF-OF-CONCEPT",
"exploitabilityScore": 8.6,
"id": "VU#261869",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"integrityRequirement": "NOT DEFINED",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"remediationLevel": "NOT DEFINED",
"reportConfidence": "CONFIRMED",
"severity": "MEDIUM",
"targetDistribution": "MEDIUM",
"trust": 0.8,
"userInterationRequired": null,
"vector_string": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2009-2631",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-40077",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2009-2631",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#261869",
"trust": 0.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200912-055",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-40077",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#261869"
},
{
"db": "VULHUB",
"id": "VHN-40077"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN\u0027s domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design. An attacker could use these devices to bypass authentication or conduct other web-based attacks. plural SSL VPN (Web VPN) There is a problem with the product that can bypass the security mechanism of the web browser. SL VPN (Web VPN) Network resources within an organization using a web browser ( Web server, mail server, etc. ) It is a product to provide a safe access method. SSL VPN (Web VPN) The product rewrites content as necessary as a proxy between the web browser and the server. SSL VPN (Web VPN) Web browser security mechanisms by accessing crafted web pages through (Same Origin Policy) May be bypassed. SSL VPN (Web VPN) Products that implement may be affected by this vulnerability.When a user views a specially crafted page, a remote third party VPN Or hijacking your session SSL VPN (Web VPN) There is a possibility that the content accessed through the site may be viewed or altered. \nAttackers may exploit this issue to violate the same-origin policy to obtain VPN session tokens, read or modify cookie-based authentication credentials, or perform unauthorized actions with the privileges of the web-based VPN domain. Other attacks may also be possible. \nClientless SSL VPN products from Cisco, Juniper Networks, and SonicWall are vulnerable. Other vendors\u0027 products may also be affected. We will update this BID as more information emerges. 2. Web VPN authenticates the user and assigns an ID to the session, which is sent to the user\u0027s browser in the form of a cookie. 3. For example, http://\u003cwww.intranet.example.com\u003e/mail.html link becomes https://\u003cwebvpnserver\u003e/www.intranet.example.com/mail.html. The cookie set by the requested web server will be converted into a completely unique cookie before being sent to the user\u0027s browser to prevent two cookies with the same name from conflicting. For example, a session ID cookie set by intranet.example.com is renamed intranet.example.com_sessionid before being sent to the user\u0027s browser. Additionally, Web VPN replaces references to specific HTML DOM objects like document.cookie. These DOM objects are replaced by scripts that return the value of the DOM object, so that they can be accessed within the security context of the requested site domain. \n\nSOLUTION:\nDisable content rewriting for untrusted web servers. \n\nThe vulnerability is reported in CallPilot 201i, 202i, 600r, 703t,\n1002rp, and 1005r. \n\nSOLUTION:\nThe vendor recommends to avoid browsing other web sites while logged\nin to CallPilot Manager or My CallPilot. ----------------------------------------------------------------------\n\nDo you have VARM strategy implemented?\n\n(Vulnerability Assessment Remediation Management) \n\nIf not, then implement it through the most reliable vulnerability\nintelligence source on the market. \n\nImplement it through Secunia. \n\nFor more information visit:\nhttp://secunia.com/advisories/business_solutions/\n\nAlternatively request a call from a Secunia representative today to\ndiscuss how we can help you with our capabilities contact us at:\nsales@secunia.com\n\n----------------------------------------------------------------------\n\nTITLE:\nCitrix Access Gateway Web VPN Same Origin Policy Bypass\n\nSECUNIA ADVISORY ID:\nSA37696\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/37696/\n\nDESCRIPTION:\nA vulnerability has been reported in Citrix Access Gateway, which can\nbe exploited by malicious people to bypass certain security\nrestrictions. \n\nThe vulnerability is caused due to the web-based VPN implementation\nprepending the same domain to all opened websites. This can be\nexploited to bypass a browser\u0027s same origin policy and e.g. access\ncookies for normally restricted domains by tricking a user into\nbrowsing to a malicious website via the VPN. \n\nThe vulnerability is reported in Citrix Access Gateway Enterprise\nEdition versions 8.1 and later, and all supported Citrix Access\nGateway Advanced Edition versions. \n\nSOLUTION:\nDo not allow access to untrusted domains via the VPN. Please see the\nvendor\u0027s advisory for more information. \n\nPROVIDED AND/OR DISCOVERED BY:\nUS-CERT credits Michal Zalewski and Mike Zusman for the original\nreport. \n\nAdditional vulnerability details provided by David Warren and Ryan\nGiobbi of US-CERT. \n\nORIGINAL ADVISORY:\nCitrix:\nhttp://support.citrix.com/article/CTX123610\n\nUS-CERT VU#261869:\nhttp://www.kb.cert.org/vuls/id/261869\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"db": "CERT/CC",
"id": "VU#261869"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"db": "BID",
"id": "37152"
},
{
"db": "VULHUB",
"id": "VHN-40077"
},
{
"db": "PACKETSTORM",
"id": "83939"
},
{
"db": "PACKETSTORM",
"id": "83938"
},
{
"db": "PACKETSTORM",
"id": "83953"
},
{
"db": "PACKETSTORM",
"id": "83937"
}
],
"trust": 3.06
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#261869",
"trust": 4.0
},
{
"db": "NVD",
"id": "CVE-2009-2631",
"trust": 2.8
},
{
"db": "BID",
"id": "37152",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "37786",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "37788",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "37789",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "37696",
"trust": 1.9
},
{
"db": "VUPEN",
"id": "ADV-2009-3571",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2009-3569",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2009-3570",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2009-3567",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2009-3568",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1023255",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200912-055",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20091202 SAME-ORIGIN POLICY BYPASS VULNERABILITIES IN SEVERAL VPN PRODUCTS REPORTED",
"trust": 0.6
},
{
"db": "XF",
"id": "54523",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20060608 SSL VPNS AND SECURITY",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20060609 RE: SSL VPNS AND SECURITY",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-40077",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "83939",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "83938",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "83953",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "83937",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#261869"
},
{
"db": "VULHUB",
"id": "VHN-40077"
},
{
"db": "BID",
"id": "37152"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"db": "PACKETSTORM",
"id": "83939"
},
{
"db": "PACKETSTORM",
"id": "83938"
},
{
"db": "PACKETSTORM",
"id": "83953"
},
{
"db": "PACKETSTORM",
"id": "83937"
},
{
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"id": "VAR-200912-0424",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-40077"
}
],
"trust": 0.4611111
},
"last_update_date": "2023-12-18T12:11:26.901000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SSL VPN Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=169937"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-40077"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"db": "NVD",
"id": "CVE-2009-2631"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "http://www.kb.cert.org/vuls/id/261869"
},
{
"trust": 2.1,
"url": "http://kb.juniper.net/kb15799"
},
{
"trust": 2.1,
"url": "http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html"
},
{
"trust": 2.0,
"url": "http://seclists.org/fulldisclosure/2006/jun/238"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/37152"
},
{
"trust": 1.7,
"url": "http://www.sonicwall.com/us/2123_14882.html"
},
{
"trust": 1.7,
"url": "http://www.sonicwall.com/us/2123_14883.html"
},
{
"trust": 1.7,
"url": "http://www116.nortel.com/pub/repository/clarify/document/2009/50/025367-01.pdf"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2006/jun/269"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2006/jun/270"
},
{
"trust": 1.7,
"url": "http://securitytracker.com/id?1023255"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/37696"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/37786"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/37788"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/37789"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2009/3567"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2009/3568"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2009/3569"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2009/3570"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2009/3571"
},
{
"trust": 1.7,
"url": "http://support.nortel.com/go/main.jsp?cscat=bltndetail\u0026documentoid=984744"
},
{
"trust": 1.2,
"url": "http://support.citrix.com/article/ctx123610"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/508164/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54523"
},
{
"trust": 0.8,
"url": "https://developer.mozilla.org/en/same_origin_policy_for_javascript"
},
{
"trust": 0.8,
"url": "https://developer.mozilla.org/en/dom/document.cookie"
},
{
"trust": 0.8,
"url": "http://code.google.com/p/browsersec/wiki/part2#same-origin_policy"
},
{
"trust": 0.8,
"url": "http://www.owasp.org/index.php/category:owasp_cookies_database"
},
{
"trust": 0.8,
"url": "http://www.owasp.org/index.php/testing_for_session_management_schema_(owasp-sm-001)#black_box_testing_and_examples"
},
{
"trust": 0.8,
"url": "http://www.cisco.com/en/us/docs/ios/security/configuration/guide/sec_ssl_vpn.html#wp1404057"
},
{
"trust": 0.8,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-june/046708.html"
},
{
"trust": 0.8,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-june/046886.html"
},
{
"trust": 0.8,
"url": "http://www.blackhat.com/presentations/bh-usa-08/zusman/bh_us_08_zusman_ssl_vpn_abuse.pdf"
},
{
"trust": 0.8,
"url": "http://www.cisco.com/en/us/docs/security/asa/asa80/configuration/guide/svc.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2631"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu261869/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2631"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/54523"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/508164/100/0/threaded"
},
{
"trust": 0.4,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.4,
"url": "http://secunia.com/advisories/business_solutions/"
},
{
"trust": 0.4,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.4,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.3,
"url": "http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable"
},
{
"trust": 0.3,
"url": "http://support.nortel.com/go/main.jsp?cscat=bltndetail\u0026id=984744"
},
{
"trust": 0.1,
"url": "http://support.nortel.com/go/main.jsp?cscat=bltndetail\u0026amp;documentoid=984744"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/37786/"
},
{
"trust": 0.1,
"url": "https://www.juniper.net/alerts/viewalert.jsp?actionbtn=search\u0026txtalertnumber=psn-2009-11-580\u0026viewmode=view"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/37789/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/37696/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/37788/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#261869"
},
{
"db": "VULHUB",
"id": "VHN-40077"
},
{
"db": "BID",
"id": "37152"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"db": "PACKETSTORM",
"id": "83939"
},
{
"db": "PACKETSTORM",
"id": "83938"
},
{
"db": "PACKETSTORM",
"id": "83953"
},
{
"db": "PACKETSTORM",
"id": "83937"
},
{
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#261869"
},
{
"db": "VULHUB",
"id": "VHN-40077"
},
{
"db": "BID",
"id": "37152"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"db": "PACKETSTORM",
"id": "83939"
},
{
"db": "PACKETSTORM",
"id": "83938"
},
{
"db": "PACKETSTORM",
"id": "83953"
},
{
"db": "PACKETSTORM",
"id": "83937"
},
{
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-11-30T00:00:00",
"db": "CERT/CC",
"id": "VU#261869"
},
{
"date": "2009-12-04T00:00:00",
"db": "VULHUB",
"id": "VHN-40077"
},
{
"date": "2009-11-30T00:00:00",
"db": "BID",
"id": "37152"
},
{
"date": "2010-01-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"date": "2009-12-16T15:35:57",
"db": "PACKETSTORM",
"id": "83939"
},
{
"date": "2009-12-16T15:35:54",
"db": "PACKETSTORM",
"id": "83938"
},
{
"date": "2009-12-16T16:15:46",
"db": "PACKETSTORM",
"id": "83953"
},
{
"date": "2009-12-16T15:35:52",
"db": "PACKETSTORM",
"id": "83937"
},
{
"date": "2009-12-04T11:30:00.437000",
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"date": "2009-11-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-06-20T00:00:00",
"db": "CERT/CC",
"id": "VU#261869"
},
{
"date": "2018-10-10T00:00:00",
"db": "VULHUB",
"id": "VHN-40077"
},
{
"date": "2009-12-16T13:53:00",
"db": "BID",
"id": "37152"
},
{
"date": "2010-01-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-002426"
},
{
"date": "2018-10-10T19:41:04.607000",
"db": "NVD",
"id": "CVE-2009-2631"
},
{
"date": "2021-11-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Clientless SSL VPN products break web browser domain-based security models",
"sources": [
{
"db": "CERT/CC",
"id": "VU#261869"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200912-055"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.