| Vulnerability Name: | CVE-2009-2631 (CCN-54523) | ||||||||
| Assigned: | 2009-12-03 | ||||||||
| Published: | 2009-12-03 | ||||||||
| Updated: | 2018-10-10 | ||||||||
| Summary: | Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. Note: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P) 5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:U/RC:UR)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:UR)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2009-2631 Source: CCN Type: Juniper KB15799 Juniper Networks recommendations for mitigating VU#261869 Source: CONFIRM Type: UNKNOWN http://kb.juniper.net/KB15799 Source: FULLDISC Type: UNKNOWN 20060608 SSL VPNs and security Source: FULLDISC Type: UNKNOWN 20060609 Re: SSL VPNs and security Source: FULLDISC Type: UNKNOWN 20060609 Re: SSL VPNs and security Source: CCN Type: SA37696 Citrix Access Gateway Web VPN Same Origin Policy Bypass Source: SECUNIA Type: Vendor Advisory 37696 Source: CCN Type: SA37786 Juniper Networks Secure Access Web VPN Same Origin Policy Bypass Source: SECUNIA Type: Vendor Advisory 37786 Source: CCN Type: SA37788 Stonesoft StoneGate SSL VPN Same Origin Policy Bypass Source: SECUNIA Type: Vendor Advisory 37788 Source: CCN Type: SA37789 Nortel CallPilot Web VPN Same Origin Policy Bypass Source: SECUNIA Type: Vendor Advisory 37789 Source: CCN Type: SECTRACK ID: 1023255 Cisco ASA Clientless SSL VPN Feature Lets Remote Users Bypass Web Browser Same-Origin Policy Restrictions Source: SECTRACK Type: UNKNOWN 1023255 Source: CCN Type: CTX123610 Vulnerability in Clientless SSL VPN Products Could Result in Policy Bypass Source: CCN Type: Nortel Security Advisory 2009009920, Rev 1 Nortel Enterprise Response to VU#261869: Clientless SSL VPN Security Issue Source: CONFIRM Type: UNKNOWN http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=984744 Source: CCN Type: US-CERT VU#261869 Clientless SSL VPN products break web browser domain-based security models Source: CCN Type: US-CERT Vulnerability Note VU#261869 Clientless SSL VPN products break web browser domain-based security models Source: CERT-VN Type: US Government Resource VU#261869 Source: CCN Type: OSVDB ID: 61190 SonicWALL Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass Source: CCN Type: OSVDB ID: 61191 Cisco ASA Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass Source: CCN Type: OSVDB ID: 61192 Citrix Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass Source: CCN Type: OSVDB ID: 61193 Juniper Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass Source: CCN Type: OSVDB ID: 61194 Nortel Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass Source: CCN Type: OSVDB ID: 61195 Stonegate Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass Source: BUGTRAQ Type: UNKNOWN 20091202 Same-origin policy bypass vulnerabilities in several VPN products reported Source: BID Type: UNKNOWN 37152 Source: CCN Type: BID-37152 Multiple Vendor Clientless SSL VPN Products Same Origin Policy Bypass Vulnerability Source: CONFIRM Type: Vendor Advisory http://www.sonicwall.com/us/2123_14882.html Source: CONFIRM Type: Vendor Advisory http://www.sonicwall.com/us/2123_14883.html Source: CCN Type: Stonesoft Corporation Security Advisory StoneGate SSL VPN Breaks Browser Domain-Based Security Model Source: CONFIRM Type: Vendor Advisory http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html Source: VUPEN Type: Vendor Advisory ADV-2009-3567 Source: VUPEN Type: Vendor Advisory ADV-2009-3568 Source: VUPEN Type: Vendor Advisory ADV-2009-3569 Source: VUPEN Type: Vendor Advisory ADV-2009-3570 Source: VUPEN Type: Vendor Advisory ADV-2009-3571 Source: CONFIRM Type: UNKNOWN http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/50/025367-01.pdf Source: XF Type: UNKNOWN sslvpn-sameorigin-security-bypass(54523) Source: XF Type: UNKNOWN sslvpn-sameorigin-security-bypass(54523) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||