Contrary to popular belief, SSL VPNs do need to have client software installed on the endpoint. Widely used SSL VPN offerings rely on one or more ActiveX components running inside web browsers. Further, any web browser vulnerability represents an SSL VPN vulnerability. The web browser is the most vulnerable and exposed part of the enterprise.

ActiveX components require admin rights to be installed and upgraded. So, maintaining these ActiveX components requires administrators to centrally manage the components like traditional software. Unfortunately, this defeats the original premise of SSL VPNs: running from browsers from any computer without any desktop management overhead.

The other way to install and upgrade these ActiveX components is to provide end-users admin rights. Unfortunately again, this represents a major security risk. End-users with admin rights tend to operate their PCs at this highest privilege level instead of using a separate least privilege account for every-day use. This generally eases the level of effort required to infest a PC with practically undetectable malware.

Management issues and admin rights aside, when PCs operating in least privilege mode rely on SSL VPN technology, the organization that owns the PCs is exposed to many other risks as well.

SSL VPNs are facilitated by ActiveX and other “mashed-up” web technologies. As a result, SSL VPNs inherit many of the vulnerabilities from these underlying technologies:

Any security vulnerability affecting a browser translates into an SSL VPN vulnerability. As reported in Bypassing Browser Memory Protections, Windows Vista’s security feature of running Internet Explorer Brower in protected mode is easily bypassed by improperly developed 3rd party or malicious plug-ins like ActiveX controls.

Web browsers will always have zero-day exploits. Organizations that rely on SSL VPNS are at significant risk of information leaks or information poisoning (i.e., altering) through Web browsers.

Browsers will always be susceptible to attacks including phishing and well known variations of XSS (Cross-Site Scripting). Even if the browser had no defect, SSL VPNs are based on Web application technologies that are fundamentally flawed.

SSL VPN suffers from classic SSL vulnerabilities: DNS poisoning and Man-In-The-Middle (MiM) attacks. Certificates for MiM are obtained via social Engineering. As demonstrated in BlackHat2008, using TSeep Proxy, an SSL VPN MiM attacker is able to see any information flowing between the SSL VPN client and the VPN Server.

ActiveX has complete access to a computer’s file system and registry with the user’s privileges. More significantly, for unmanaged desktops, ActiveX site-locking is not practical. This opens new possibilities for attackers.

Without Site-locking, an SSL VPN vendor’s ActiveX component can be utilized by any hostile website visited by the user for a re-purposing attack. This was recently documented regarding the Juniper ActiveX Command Execution vulnerability.

An attacker can use a spoofed version of the Juniper ActiveX component to launch an arbitrary executable.
This Juniper SSL-VPN Client ActiveX Control was also vulnerable to a remote buffer overflow attack. When exploited, the attacker could inject and run arbitrary code on the user’s machine.

SSL VPNs’s rely on weak security within the web browser. The Novell SSL VPN ActiveX component is suppose to perform rudimentary checks on a host’s health posture to regulate whether the PC may establish a normal VPN connection. Unfortunately, this ActiveX component can be replaced or spoofed without the Novell SSL VPN gateway knowing.

Endpoints running SSL VPNs need serious protection from the vulnerabilities of the mashed-up technologies that enable major SSL VPN features. A trustable security agent technology is required to counter these and other SSL VPN vulnerabilities. The ultimate such agent will leverage a Trusted Platform Module (TPM) to not only provide high assurance VPN but also robust network access control (NAC), practically eliminating all the above risks.

Related Articles:

SSL VPN Exposes Enterprises to More Data Leak Risks than IPsec VPN

Using Two or More Separate Web Browsers can Reduce Online Theft and Data Leak Risks

Never Ending Vulnerabilities for Web Browsers

Posted: Tuesday, September 2nd, 2008 - Network Security
RSS 2.0 - Comment - Trackback