SSLVPN vulnerability bypassing security policies

  • 3429077
  • 15-Mar-2007
  • 26-Apr-2012


Novell Access Management 3 SSLVPN Server


After a workstation connects to the sslvpn server, and downloads the ActiveX controls in IE, a policy.txt file is created in the users directory (Windows) that contains the rules indicating what traffic and ports can go over the VPN.

If a user makes this file read-only, disconnect, and then edits it manually before reconnecting, that user can get access to any resources on the coporate LAN that would normally be prohibited. For example, changing the file to include
sslize {
from : / 0
to :
port : 80
protocol :tcp
action :allow

will give the user access to all webservers on the corporate LAN. NO traffic access checking is done on the SSLVPN server


Apply nam3ir2.tar.gz from


Security Alert

Additional Information

Thanks to Kai Ung from Rikshospitalet‑Radiumhospitalet Medical Centre for finding and confirming fix.