Last Monday, the US-CERT warned the public of a SSL VPN vulnerability that affects a long list of vendors (not NCP however). The US-CERT states that these clientless SSL VPNs “break fundamental browser security mechanisms, [where] an attacker could use these devices to bypass authentication or conduct other web-based attacks”.
SSL VPNs provide employees with access to company servers, internal fileshares and remote desktop capabilities through a Web browser, and this vulnerability can expose users to man-in-the-middle attacks. This is a serious problem because it gives attackers a way into sensitive company data.
There is no known fix to the vulnerability. The advisory urges administrators to deploy workarounds and check with the specific vendors for product specific instructions. Administrators can limit URL rewriting to trusted domains, configure the VPN device to only access specific network domains and disable URL hiding features. Is it time to start rethinking remote access choices?
This issue was discovered by David Warren and Ryan Giobbi with help from Michal Zalewski and Mike Zusman. For additional details on the SSL VPN vulnerability (vulnerability note VU#261869), visit: http://www.kb.cert.org/vuls/id/261869