Cisco Systems, Inc. Information for VU#261869

Clientless SSL VPN products break web browser domain-based security models

Status

Affected

Vendor Statement

The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link:

http://tools.cisco.com/security/center/viewAlert.x?alertId=19500

This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern.

Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection.  Information about CSD and AnyConnect can be found at:

http://www.cisco.com/go/sslvpn.

Vendor Information

Cisco has published information about this issue at:
http://tools.cisco.com/security/center/viewAlert.x?alertId=19500
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849

Vendor References

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.