SSLVPN vulnerability bypassing security policies

  • 3429077
  • 15-Mar-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 SSLVPN Server

Situation

After a workstation connects to the sslvpn server, and downloads the ActiveX controls in IE, a policy.txt file is created in the users directory (Windows) that contains the rules indicating what traffic and ports can go over the VPN.

If a user makes this file read-only, disconnect, and then edits it manually before reconnecting, that user can get access to any resources on the coporate LAN that would normally be prohibited. For example, changing the file to include
 
sslize {
from : 0.0.0.0 / 0
to :10.0.0.0/255.0.0.0
port : 80
protocol :tcp
action :allow
};

will give the user access to all webservers on the corporate LAN. NO traffic access checking is done on the SSLVPN server

Resolution

Apply nam3ir2.tar.gz from support.novell.com

Status

Security Alert

Additional Information

Thanks to Kai Ung from Rikshospitalet‑Radiumhospitalet Medical Centre for finding and confirming fix.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.