search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Clientless SSL VPN products break web browser domain-based security models

Vulnerability Note VU#261869

Original Release Date: 2009-11-30 | Last Revised: 2013-06-20

Overview

Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Description

Web browsers enforce the same origin policy to prevent one site's active content (such as JavaScript) from accessing or modifying another site's data. For instance, active content hosted at http://<example.com>/page1.html can access DOM objects on http://<example.com>/page2.html, but cannot access objects hosted at http://<example.net>/page.html. Many clientless SSL VPN products retrieve content from different sites, then present that content as coming from the SSL VPN, effectively circumventing browser same origin restrictions.

Clientless SSL VPNs provide browser-based access to internal and external resources without the need to install a traditional VPN client. Typically, these web VPNs are used to access intranet sites (such as an internal webmail server), but many have more capabilities, such as providing access to internal fileshares and remote desktop capabilities. To connect to a VPN, a web browser is used to authenticate to the web VPN, then the web VPN retrieves and presents the content from the requested pages.

Web VPN servers interact with clients using a process similar to what is described below:

    1. The user presents credentials to the web VPN using a web browser. The authentication can be done through username and password submission, or can involve multi-factor authentication.
    2. The web VPN authenticates the user and assigns an ID to the session, which is sent to the user's browser in the form of a cookie.
    3. The user can then browse internal resources, such as a webmail server or intranet webserver. URLs as viewed by the user's web browser may be similar to https://<webvpnserver>/www.intranet.example.com.
    As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link to http://<www.intranet.example.com>/mail.html becomes https://<webvpnserver>/www.intranet.example.com/mail.html. Cookies set by the requested webserver may be converted into globally unique cookies before being passed to the user's browser, which prevents collision between two identically named cookies from different requested domains. For example, a sessionid cookie set by intranet.example.com could be renamed to intranet.example.com_sessionid before it is sent from the web VPN to the user's browser . Additionally, the web VPN may replace references to specific HTML DOM objects, such as document.cookie. These DOM objects may be replaced with script that returns the value for that DOM object as if it had been accessed in the context of the requested site's domain.

    If an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user's cookies for the web VPN domain. Included in this document.cookie are the web VPN session ID cookie itself and any globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user's VPN session and any other sessions accessed through the web VPN that rely on cookies for session identification.

    Additionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site. The hidden frame could log all keys pressed in the second, benign frame and submit these keypresses as parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN syntax.

    Note that if the VPN server is allowed to connect to arbitrary Internet sites, these vulnerabilities can be exploited by any site on the Internet.

    Impact

    By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02.

    Solution

    There is no solution to this problem. Depending on their specific configuration and location in the network these devices may be impossible to operate securely. Administrators are encouraged to view the below workarounds and see the systems affected section of this document for more information about specific vendors.

    Limit URL rewriting to trusted domains

    If supported by the VPN server, URLs should only be rewritten for trusted internal sites. All other sites and domains should not be accessible through the VPN server.

    Since an attacker only needs to convince a user to visit web page being viewed through the VPN to exploit this vulnerability, this workaround is likely to be less effective if there are a large number of hosts or domains that can be accessed through the VPN server. When deciding which sites can be visited through use of the VPN server, it is important to remember that all allowed sites will operate within the same security context in the web browser.

    Limit VPN server network connectivity to trusted domains

    It may be possible to configure the VPN device to only access specific network domains. This restriction may also be possible by using firewall rules.

    Disable URL hiding features

    Obfuscating URLs hides the destination page from the end user. This feature can be used by an attacker to hide the destination page of any links they send. For example, https://<vpn.example.com>/attack-site.com vs https://<vpn.example.com>/778928801.

    Vendor Information

    Any clientless, browser-based SSL VPN that proxies multiple domains as a single domain violates the same origin policy and is considered to be vulnerable. Vendors of such products are listed as "affected."

    Clientless SSL VPN products ship with a variety of default configurations and available security features. Some products by default provide limited or no access and require an administrator to enable specific domains (or all domains). Depending on functional and security requirements, network architecture, and available security features, it may be possible to operate a clientless SSL VPN in a way that minimizes the potential impact of these vulnerabilities. Users are encouraged to review product documentation and features to determine whether a clientless SSL VPN meets security requirements.

    261869
     
    Affected   Unknown   Unaffected

    Check Point Software Technologies

    Notified:  September 15, 2009 Updated:  December 16, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    Checkpoint has posted the following information:

    https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk43265

    Cisco Systems, Inc.

    Notified:  September 24, 2009 Updated:  December 17, 2009

    Statement Date:   December 04, 2009

    Status

      Vulnerable

    Vendor Statement

    The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link:

    http://tools.cisco.com/security/center/viewAlert.x?alertId=19500

    This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern.

    Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection.  Information about CSD and AnyConnect can be found at:

    http://www.cisco.com/go/sslvpn.

    Vendor Information

    Cisco has published information about this issue at:
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19500
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589
    http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589

    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982
    http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849

    Vendor References

    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849

    Citrix

    Notified:  September 24, 2009 Updated:  December 16, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    Citrix has published the following article:

    http://support.citrix.com/article/CTX123610

    Vendor References

    http://support.citrix.com/article/CTX123610

    Juniper Networks, Inc.

    Notified:  September 24, 2009 Updated:  December 17, 2009

    Statement Date:   November 30, 2009

    Status

      Vulnerable

    Vendor Statement

    Please see Juniper Networks Product Security Notification PSN-2009-11-580:
    https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2009-11-580&viewMode=view

    Vendor Information

    Juniper has also published the following information:

    Juniper Networks recommendations for mitigating VU#261869: http://kb.juniper.net/KB15799

    Users are encouraged to review this knowledge base article and apply the workarounds they describe.

    Microsoft Corporation

    Notified:  September 24, 2009 Updated:  December 07, 2009

    Statement Date:   December 05, 2009

    Status

      Vulnerable

    Vendor Statement

    If customer chooses co-host resources of a different trust (different web applications and ssl-vpn internal application/portal) this situation can arise.

    Although there is another choice that customer can make - use a separate domain for each application. The trade-off is cost vs security - using dedicated domain names, requires wild-card certificates, and multiple dns registrations. We encourage our customers to go with this solution, but as always customers have the right to choose cost of deployment over security.

    While we agree with the less secure option this may pose an issue in certain deployments. With the more secure option available we feel that this is not a vulnerability in our products.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Nortel Networks, Inc.

    Notified:  October 19, 2009 Updated:  December 16, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    Nortel has published the following advisory:

    http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=984744

    OpenVPN Technologies

    Notified:  November 13, 2009 Updated:  December 17, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The web-based OpenVPN ALS (formerly Adito) could be affected by these issues when using a replacement proxy forward or multiple reverse proxy forwards. The scope of VPN session cookie stealing can be limited by enabling the Verify Client Address option. Tunneled web forwards are not affected.

    Please note that OpenVPN ALS is separate from the traditional TUN/TAP client-based OpenVPN, which is not affected by this issue.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SafeNet

    Notified:  October 19, 2009 Updated:  December 03, 2009

    Statement Date:   November 13, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    SafeNet has issued Security Bulletin 111009-1, "SafeWord 2008 -- SecureWire Access Gateway SSL VPN Vulnerability."

    This document can be viewed from the SafeNet technical support website.

    SonicWall

    Notified:  September 15, 2009 Updated:  December 04, 2009

    Statement Date:   December 01, 2009

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    SonicWall has published the following information in response to this issue:

    Main Support Page: http://www.sonicwall.com/us/Support.html
    SonicWALL E-Class SSL VPN: http://www.sonicwall.com/us/2123_14882.html
    SonicWALL SSL VPN: http://www.sonicwall.com/us/2123_14883.html

    Users are encouraged to review these bulletins and apply the workarounds they describe.

    Stonesoft

    Notified:  October 19, 2009 Updated:  December 17, 2009

    Statement Date:   December 03, 2009

    Status

      Vulnerable

    Vendor Statement

    Stonesoft has published a Security Advisory on this issue. The advisory is available at Stonesoft's web site:

    http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Sun Microsystems, Inc.

    Notified:  October 19, 2009 Updated:  December 08, 2009

    Statement Date:   December 05, 2009

    Status

      Vulnerable

    Vendor Statement

    Sun Java System Portal Server Secure Remote Access can be configured to be not vulnerable to CVE-2009-2631. Secure Remote Access Gateway offers client-less SSL VPN functionality. It rewrites the URLs only for explicitly configured domains and subdomains. Hence it is not vulnerable to attacks launched from the Internet. Access to domains or hosts within the intranet can be further controlled by Allow/Deny access list to restrict access to only trusted internal sites.

    Vendor Information

    Sun has published the following information:

    http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable

    Vendor References

    http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable

    Addendum

    CERT/CC has listed Sun Microsystems as vulnerable because certain configurations are subject to the issues described in the note.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    aep NETWORKS

    Notified:  November 06, 2009 Updated:  December 17, 2009

    Statement Date:   December 17, 2009

    Status

      Vulnerable

    Vendor Statement

    Regarding US-CERT Vulnerability Note VU# 261869, AEP Netilla currently mitigates exposure because of its secure design. By default, AEP Netilla is “locked down” meaning all access to and from Netilla is denied. All types of access must be explicitly granted. Thus, when a Web reverse proxy application is configured on Netilla, users cannot access the application and Netilla will not allow the connection to the application until policies that grant access are created. Details such as whether or not to allow cookies are part of the connection access policy.

    Because all access to and from Netilla is denied by default, any attempt to direct a user to an attacker created web page will be denied. Netilla is also protected from the other method described in the Vulnerability Note where user key strokes are trapped in a hidden frame. When that frame attempts to send out the captured data, the data is re-written to go to Netilla where Netilla's policy checking engine will drop the data.

    AEP recommends that Netilla customers only add access rules for known trusted sites. If customers require access to servers outside of their control AEP recommends that they only configure policy rules that grant the absolute minimal access needed and can further mitigate the risk with these application policy settings: Cookie Support = No; JavaScript Handling = Delete; Vbscript Handling = Delete; and Host Name Hiding, a system-wide configuration setting, should be left at the default option = Do Not Hide.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    CERT/CC has listed AEP Networks as vulnerable because certain configurations are subject to the issues described in the note. Administrators are encouraged to review their deployment for applicability.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Computer Associates

    Notified:  October 19, 2009 Updated:  December 17, 2009

    Statement Date:   October 23, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Extreme Networks

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 26, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Fedora Project

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 19, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Intel Corporation

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   December 03, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Internet Security Systems, Inc.

    Notified:  October 19, 2009 Updated:  December 15, 2009

    Statement Date:   December 15, 2009

    Status

      Not Vulnerable

    Vendor Statement

    ISS is NOT affected by this issue.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Kerio Technologies

    Notified:  September 24, 2009 Updated:  October 01, 2009

    Statement Date:   September 29, 2009

    Status

      Not Vulnerable

    Vendor Statement

    The Kerio Clientless SSL-VPN is intended to access files on the network where it is deployed. It by design does not work as a reverse HTTP proxy and it does not create nor modify HTTP cookies of other web services. As such it is not affected by the described vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    McAfee

    Notified:  September 15, 2009 Updated:  December 04, 2009

    Statement Date:   October 22, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Novell, Inc.

    Notified:  September 24, 2009 Updated:  December 04, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    PePLink

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 20, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Q1 Labs

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   December 04, 2009

    Status

      Not Vulnerable

    Vendor Statement

    Q1 is not affected by VU#261869

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Red Hat, Inc.

    Notified:  October 19, 2009 Updated:  December 04, 2009

    Statement Date:   October 28, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Webmin

    Notified:  September 25, 2009 Updated:  October 02, 2009

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    3com Inc

    Notified:  October 19, 2009 Updated:  December 05, 2011

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    ACCESS

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Alcatel-Lucent

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Avaya, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Barracuda Networks

    Notified:  September 24, 2009 Updated:  December 04, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Conectiva Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    D-Link Systems, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Debian GNU/Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    DragonFly BSD Project

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    EMC Corporation

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Engarde Secure Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Enterasys Networks

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Ericsson

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    F5 Networks, Inc.

    Notified:  September 16, 2009 Updated:  September 16, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Force10 Networks, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Fortinet, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Foundry Networks, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    FreeBSD, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Fujitsu

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Gentoo Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Global Technology Associates

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Hewlett-Packard Company

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Hitachi

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    IBM Corporation

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    IBM eServer

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    IP Filter

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    IP Infusion, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Infoblox

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Intoto

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Luminous Networks

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Mandriva S. A.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    MontaVista Software, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Multitech, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    NEC Corporation

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    NetApp

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    NetBSD

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Netgear, Inc.

    Notified:  October 20, 2009 Updated:  October 20, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Nokia

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    OpenBSD

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Openwall GNU/*/Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Process Software

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    QNX Software Systems Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Quagga

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    RadWare, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Redback Networks, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    SUSE Linux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Secureworx, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Silicon Graphics, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    SmoothWall

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Snort

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Soapstone Networks

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Sourcefire

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Symantec

    Notified:  September 15, 2009 Updated:  September 15, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    The SCO Group

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Turbolinux

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    U4EA Technologies, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Ubuntu

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Unisys

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    VMware

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vyatta

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Watchguard Technologies, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Wind River Systems, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    ZyXEL

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    eSoft, Inc.

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    m0n0wall

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    netfilter

    Notified:  October 19, 2009 Updated:  October 19, 2009

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.


    CVSS Metrics

    Group Score Vector
    Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
    Temporal 6.1 E:POC/RL:ND/RC:C
    Environmental 4.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    Credit

    This issue was discovered by David Warren and Ryan Giobbi. Much of the original research into this issue was done by Michal Zalewski and Mike Zusman

    This document was written by David Warren and Ryan Giobbi.

    Other Information

    CVE IDs: CVE-2009-2631
    Severity Metric: 45.00
    Date Public: 2009-11-30
    Date First Published: 2009-11-30
    Date Last Updated: 2013-06-20 17:08 UTC
    Document Revision: 190

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.