search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Clientless SSL VPN products break web browser domain-based security models

Vulnerability Note VU#261869

Original Release Date: 2009-11-30 | Last Revised: 2013-06-20

Overview

Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Description

Web browsers enforce the same origin policy to prevent one site's active content (such as JavaScript) from accessing or modifying another site's data. For instance, active content hosted at http://<example.com>/page1.html can access DOM objects on http://<example.com>/page2.html, but cannot access objects hosted at http://<example.net>/page.html. Many clientless SSL VPN products retrieve content from different sites, then present that content as coming from the SSL VPN, effectively circumventing browser same origin restrictions.

Clientless SSL VPNs provide browser-based access to internal and external resources without the need to install a traditional VPN client. Typically, these web VPNs are used to access intranet sites (such as an internal webmail server), but many have more capabilities, such as providing access to internal fileshares and remote desktop capabilities. To connect to a VPN, a web browser is used to authenticate to the web VPN, then the web VPN retrieves and presents the content from the requested pages.

Web VPN servers interact with clients using a process similar to what is described below:

    1. The user presents credentials to the web VPN using a web browser. The authentication can be done through username and password submission, or can involve multi-factor authentication.
    2. The web VPN authenticates the user and assigns an ID to the session, which is sent to the user's browser in the form of a cookie.
    3. The user can then browse internal resources, such as a webmail server or intranet webserver. URLs as viewed by the user's web browser may be similar to https://<webvpnserver>/www.intranet.example.com.
    As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link to http://<www.intranet.example.com>/mail.html becomes https://<webvpnserver>/www.intranet.example.com/mail.html. Cookies set by the requested webserver may be converted into globally unique cookies before being passed to the user's browser, which prevents collision between two identically named cookies from different requested domains. For example, a sessionid cookie set by intranet.example.com could be renamed to intranet.example.com_sessionid before it is sent from the web VPN to the user's browser . Additionally, the web VPN may replace references to specific HTML DOM objects, such as document.cookie. These DOM objects may be replaced with script that returns the value for that DOM object as if it had been accessed in the context of the requested site's domain.

    If an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user's cookies for the web VPN domain. Included in this document.cookie are the web VPN session ID cookie itself and any globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user's VPN session and any other sessions accessed through the web VPN that rely on cookies for session identification.

    Additionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site. The hidden frame could log all keys pressed in the second, benign frame and submit these keypresses as parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN syntax.

    Note that if the VPN server is allowed to connect to arbitrary Internet sites, these vulnerabilities can be exploited by any site on the Internet.

    Impact

    By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02.

    Solution

    There is no solution to this problem. Depending on their specific configuration and location in the network these devices may be impossible to operate securely. Administrators are encouraged to view the below workarounds and see the systems affected section of this document for more information about specific vendors.

    Limit URL rewriting to trusted domains

    If supported by the VPN server, URLs should only be rewritten for trusted internal sites. All other sites and domains should not be accessible through the VPN server.

    Since an attacker only needs to convince a user to visit web page being viewed through the VPN to exploit this vulnerability, this workaround is likely to be less effective if there are a large number of hosts or domains that can be accessed through the VPN server. When deciding which sites can be visited through use of the VPN server, it is important to remember that all allowed sites will operate within the same security context in the web browser.

    Limit VPN server network connectivity to trusted domains

    It may be possible to configure the VPN device to only access specific network domains. This restriction may also be possible by using firewall rules.

    Disable URL hiding features

    Obfuscating URLs hides the destination page from the end user. This feature can be used by an attacker to hide the destination page of any links they send. For example, https://<vpn.example.com>/attack-site.com vs https://<vpn.example.com>/778928801.

    Vendor Information

    Any clientless, browser-based SSL VPN that proxies multiple domains as a single domain violates the same origin policy and is considered to be vulnerable. Vendors of such products are listed as "affected."

    Clientless SSL VPN products ship with a variety of default configurations and available security features. Some products by default provide limited or no access and require an administrator to enable specific domains (or all domains). Depending on functional and security requirements, network architecture, and available security features, it may be possible to operate a clientless SSL VPN in a way that minimizes the potential impact of these vulnerabilities. Users are encouraged to review product documentation and features to determine whether a clientless SSL VPN meets security requirements.

    261869
    Expand all

    Check Point Software Technologies

    Notified:  September 15, 2009 Updated:  December 16, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    Checkpoint has posted the following information:

    https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk43265

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Cisco Systems, Inc.

    Notified:  September 24, 2009 Updated:  December 17, 2009

    Statement Date:   December 04, 2009

    Status

      Vulnerable

    Vendor Statement

    The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link:

    http://tools.cisco.com/security/center/viewAlert.x?alertId=19500

    This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern.

    Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection.  Information about CSD and AnyConnect can be found at:

    http://www.cisco.com/go/sslvpn.

    Vendor Information

    Cisco has published information about this issue at:
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19500
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589
    http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589

    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982
    http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849

    Vendor References

    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Citrix

    Notified:  September 24, 2009 Updated:  December 16, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    Citrix has published the following article:

    http://support.citrix.com/article/CTX123610

    Vendor References

    http://support.citrix.com/article/CTX123610

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Juniper Networks, Inc.

    Notified:  September 24, 2009 Updated:  December 17, 2009

    Statement Date:   November 30, 2009

    Status

      Vulnerable

    Vendor Statement

    Please see Juniper Networks Product Security Notification PSN-2009-11-580:
    https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2009-11-580&viewMode=view

    Vendor Information

    Juniper has also published the following information:

    Juniper Networks recommendations for mitigating VU#261869: http://kb.juniper.net/KB15799

    Users are encouraged to review this knowledge base article and apply the workarounds they describe.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Microsoft Corporation

    Notified:  September 24, 2009 Updated:  December 07, 2009

    Statement Date:   December 05, 2009

    Status

      Vulnerable

    Vendor Statement

    If customer chooses co-host resources of a different trust (different web applications and ssl-vpn internal application/portal) this situation can arise.

    Although there is another choice that customer can make - use a separate domain for each application. The trade-off is cost vs security - using dedicated domain names, requires wild-card certificates, and multiple dns registrations. We encourage our customers to go with this solution, but as always customers have the right to choose cost of deployment over security.

    While we agree with the less secure option this may pose an issue in certain deployments. With the more secure option available we feel that this is not a vulnerability in our products.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nortel Networks, Inc.

    Notified:  October 19, 2009 Updated:  December 16, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    Nortel has published the following advisory:

    http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=984744

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenVPN Technologies

    Notified:  November 13, 2009 Updated:  December 17, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The web-based OpenVPN ALS (formerly Adito) could be affected by these issues when using a replacement proxy forward or multiple reverse proxy forwards. The scope of VPN session cookie stealing can be limited by enabling the Verify Client Address option. Tunneled web forwards are not affected.

    Please note that OpenVPN ALS is separate from the traditional TUN/TAP client-based OpenVPN, which is not affected by this issue.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SafeNet

    Notified:  October 19, 2009 Updated:  December 03, 2009

    Statement Date:   November 13, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    SafeNet has issued Security Bulletin 111009-1, "SafeWord 2008 -- SecureWire Access Gateway SSL VPN Vulnerability."

    This document can be viewed from the SafeNet technical support website.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SonicWall

    Notified:  September 15, 2009 Updated:  December 04, 2009

    Statement Date:   December 01, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    SonicWall has published the following information in response to this issue:

    Main Support Page: http://www.sonicwall.com/us/Support.html
    SonicWALL E-Class SSL VPN: http://www.sonicwall.com/us/2123_14882.html
    SonicWALL SSL VPN: http://www.sonicwall.com/us/2123_14883.html

    Users are encouraged to review these bulletins and apply the workarounds they describe.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Stonesoft

    Notified:  October 19, 2009 Updated:  December 17, 2009

    Statement Date:   December 03, 2009

    Status

      Vulnerable

    Vendor Statement

    Stonesoft has published a Security Advisory on this issue. The advisory is available at Stonesoft's web site:

    http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sun Microsystems, Inc.

    Notified:  October 19, 2009 Updated:  December 08, 2009

    Statement Date:   December 05, 2009

    Status

      Vulnerable

    Vendor Statement

    Sun Java System Portal Server Secure Remote Access can be configured to be not vulnerable to CVE-2009-2631. Secure Remote Access Gateway offers client-less SSL VPN functionality. It rewrites the URLs only for explicitly configured domains and subdomains. Hence it is not vulnerable to attacks launched from the Internet. Access to domains or hosts within the intranet can be further controlled by Allow/Deny access list to restrict access to only trusted internal sites.

    Vendor Information

    Sun has published the following information:

    http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable

    Vendor References

    http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable

    Addendum

    CERT/CC has listed Sun Microsystems as vulnerable because certain configurations are subject to the issues described in the note.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    aep NETWORKS

    Notified:  November 06, 2009 Updated:  December 17, 2009

    Statement Date:   December 17, 2009

    Status

      Vulnerable

    Vendor Statement

    Regarding US-CERT Vulnerability Note VU# 261869, AEP Netilla currently mitigates exposure because of its secure design. By default, AEP Netilla is “locked down” meaning all access to and from Netilla is denied. All types of access must be explicitly granted. Thus, when a Web reverse proxy application is configured on Netilla, users cannot access the application and Netilla will not allow the connection to the application until policies that grant access are created. Details such as whether or not to allow cookies are part of the connection access policy.

    Because all access to and from Netilla is denied by default, any attempt to direct a user to an attacker created web page will be denied. Netilla is also protected from the other method described in the Vulnerability Note where user key strokes are trapped in a hidden frame. When that frame attempts to send out the captured data, the data is re-written to go to Netilla where Netilla's policy checking engine will drop the data.

    AEP recommends that Netilla customers only add access rules for known trusted sites. If customers require access to servers outside of their control AEP recommends that they only configure policy rules that grant the absolute minimal access needed and can further mitigate the risk with these application policy settings: Cookie Support = No; JavaScript Handling = Delete; Vbscript Handling = Delete; and Host Name Hiding, a system-wide configuration setting, should be left at the default option = Do Not Hide.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    CERT/CC has listed AEP Networks as vulnerable because certain configurations are subject to the issues described in the note. Administrators are encouraged to review their deployment for applicability.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Computer Associates

    Notified:  October 19, 2009 Updated:  December 17, 2009

    Statement Date:   October 23, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Extreme Networks

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 26, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Fedora Project

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 19, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Intel Corporation

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   December 03, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Internet Security Systems, Inc.

    Notified:  October 19, 2009 Updated:  December 15, 2009

    Statement Date:   December 15, 2009

    Status

      Not Vulnerable

    Vendor Statement

    ISS is NOT affected by this issue.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Kerio Technologies

    Notified:  September 24, 2009 Updated:  October 01, 2009

    Statement Date:   September 29, 2009

    Status

      Not Vulnerable

    Vendor Statement

    The Kerio Clientless SSL-VPN is intended to access files on the network where it is deployed. It by design does not work as a reverse HTTP proxy and it does not create nor modify HTTP cookies of other web services. As such it is not affected by the described vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    McAfee

    Notified:  September 15, 2009 Updated:  December 04, 2009

    Statement Date:   October 22, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Novell, Inc.

    Notified:  September 24, 2009 Updated:  December 04, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    PePLink

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 20, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Q1 Labs

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   December 04, 2009

    Status

      Not Vulnerable

    Vendor Statement

    Q1 is not affected by VU#261869

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Red Hat, Inc.

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 28, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Webmin

    Notified:  September 25, 2009 Updated:  October 02, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    3com Inc

    Notified:  October 19, 2009 Updated:  December 05, 2011

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    ACCESS

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Alcatel-Lucent

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Avaya, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Barracuda Networks

    Notified:  September 24, 2009 Updated:  December 04, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Conectiva Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    D-Link Systems, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Debian GNU/Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    DragonFly BSD Project

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    EMC Corporation

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Engarde Secure Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Enterasys Networks

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ericsson

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    F5 Networks, Inc.

    Notified:  September 16, 2009 Updated:  September 16, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Force10 Networks, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Fortinet, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Foundry Networks, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    FreeBSD, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Fujitsu

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Gentoo Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Global Technology Associates

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hewlett-Packard Company

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hitachi

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IBM Corporation

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IBM eServer

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IP Filter

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IP Infusion, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Infoblox

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Intoto

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Luminous Networks

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Mandriva S. A.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    MontaVista Software, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Multitech, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NEC Corporation

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NetApp

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NetBSD

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Netgear, Inc.

    Notified:  October 20, 2009 Updated:  October 20, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nokia

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenBSD

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Openwall GNU/*/Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Process Software

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    QNX Software Systems Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Quagga

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    RadWare, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Redback Networks, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SUSE Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Secureworx, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Silicon Graphics, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SmoothWall

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Snort

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Soapstone Networks

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sourcefire

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Symantec

    Notified:  September 15, 2009 Updated:  September 15, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The SCO Group

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Turbolinux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    U4EA Technologies, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ubuntu

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Unisys

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    VMware

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Vyatta

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Watchguard Technologies, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Wind River Systems, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    ZyXEL

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    eSoft, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    m0n0wall

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    netfilter

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
    Temporal 6.1 E:POC/RL:ND/RC:C
    Environmental 4.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    Credit

    This issue was discovered by David Warren and Ryan Giobbi. Much of the original research into this issue was done by Michal Zalewski and Mike Zusman

    This document was written by David Warren and Ryan Giobbi.

    Other Information

    CVE IDs: CVE-2009-2631
    Severity Metric: 45.00
    Date Public: 2009-11-30
    Date First Published: 2009-11-30
    Date Last Updated: 2013-06-20 17:08 UTC
    Document Revision: 190

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.