A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details.
"As the web VPN retrieves web pages, it rewrites hyperlinks so that they
are accessible through the web VPN. For example, a link to http://<www.intranet.example.com>/mail.html becomes https://<webvpnserver>/www.intranet.example.com/mail.html.
Cookies set by the requested webserver are converted into globally
unique cookies before being passed to the user's browser, which
prevents collision between two identically named cookies from different
requested domains. For example, a sessionid cookie set by intranet.example.com could be renamed to intranet.example.com_sessionid
before it is sent from the web VPN to the user's browser .
Additionally, the web VPN replaces references to specific HTML DOM
objects, such as document.cookie. These DOM objects are
replaced with script that returns the value for that DOM object as if
it had been accessed in the context of the requested site's domain.
If an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user's cookies for the web VPN domain. Included in this document.cookie are the web VPN session ID cookie itself and all globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user's VPN session and all other sessions accessed through the web VPN that rely on cookies for session identification." - CERT
Theregister also had this to add
"There is no solution to the weakness, the advisory warns. "Depending on their specific configuration and location in the network, these devices may be impossible to operate securely." Given the severity of the advisory, it would behoove clientless SSL VPN users to check with their supplier to find out if their particular implementation is vulnerable." - TheRegister
It is interesting to note that Michal Zalewski reported on this issue in 2006, and the new advisory was just published (in all likelyhood it was rediscovered by David Warren and Ryan Giobbi although this is just a guess). Ever since publishing my transparent proxy abuse case I've been on an architectural flaw kick, and glad to see more architectural bugs being discovered.
Read more: http://www.kb.cert.org/vuls/id/261869
TheRegister Article: http://www.theregister.co.uk/2009/11/30/vpn_authentication_weakness/