Cisco has provided updated information regarding the Cisco WebVPN bookmark URL bypass.
Reports indicate that a vulnerability exists in the Cisco WebVPN bookmark feature; this feature is part of the Cisco ASA 5500 Series Adaptive Security Appliance (Cisco ASA).
The Cisco ASA gives administrators the option of offering a Clientless SSL VPN session for access to corporate resources. One of several features available to administrators is the ability to customize the WebVPN portal page by adding bookmarks to the landing page; the list of links that are provided as bookmarks point users to resources that are intended to be accessed via the clientless connection. This feature is often used when URL entry has been disabled to prevent confusion among users about where to enter a URL to access a specific resource.
The bookmark feature is not a security feature, and by default, all portal traffic is allowed to access all backend servers. As such, users with sufficient knowledge could manually manipulate the URLs that are used by the VPN client to access arbitrary resources within the network. To prevent such access, additional configuration is required.
Administrators are advised to apply web access control lists (ACLs) to group-policies and Dynamic Access Policies (DAP) to control specific traffic flows from the portal. Additional information about how to create Web ACLs can be found in the Cisco Security Appliance Configuration and Deployment guides.
Information about using Cisco Adaptive Security Device Manager (ASDM) to configure Web ACLs is available at the following link: Web ACLs
This issue was reported by David Eduardo Acosta Rodrguez from Internet Security Auditors. Cisco PSIRT appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.
A modification of the default behavior has been proposed that would deny access to all resources but those included within the WebVPN Portal bookmarks by default. Further details of this enhancement request are available in Cisco bug ID CSCtd73211.
Administrators who support this change should contact their Cisco Sales or Support channel to express their support for the enhancement.
Version 1, December 17, 2009, 8:42 AM: An independent researcher has reported a vulnerability in the Cisco WebVPN bookmark feature of the Cisco ASA 5500 Series Adaptive Security Appliance. This feature is not a security feature of the affected product.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.