How it Works
Avaya
Loading...
M
N
O
P
Loading...
Loading...
Nortel Enterprise Response to VU261869
User Manual
9 pgs34.56 Kb0

Avaya Nortel Enterprise Response to VU261869 User Manual

.
>TECHNICAL SUPPORT
. SECURITY ADVISORY BULLETIN
.
.
Nortel Enterprise Response to VU#261869: Clientless SSL VPN Security Issue
Source:
US-CERT Vulnerability Note on the Clientless SSL VPN Security Issues at: http://www.kb.cert.org/vuls/id/261869 CVE-2009-2631 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2631
CERT- Coordination Center CA-200-02 is available at:
http://www.cert.org/advisories/CA-2000-02.html#impact
BULLETIN ID: 2009009920, Rev 1
STATUS: Active REGION: All
PRIORITY: Critical
TYPE: Security Advisory
Overview:
Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.
By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. For additional information about impacts, please review CERT Advisory CA-2000-02.
There is no solution to this problem. Depending on their specific configuration and location in the network these devices may be impossible to operate securely. Administrators are encouraged to view the workarounds detailed in the Solutions section of the US-CERT Vulnerability Note for the following:
1. Limit URL rewriting to trusted domains
2. Block the VPN server from accessing untrusted domains
3. Disable URL hiding features
Before taking any action please ensure that you are viewing the latest official version of this security advisory by referencing http://www.nortel.com/securityadvisories
For more information: Please contact your next level of support or visit http://www.nortel.com/contact for support numbers within your region. Nortel security advisories: http://nortel.com/securityadvisories Nortel Partner Information Center (PIC) website: http://www.nortelnetworks.com/pic
NORTEL ENTERPRISERESPONSE TO VU#261869: CLIENTLESS SSL VPN SECURITY ISSUE 2009009920, REV 1
Symptoms:
Please refer to the Resolution section herein for product-specific information from Nortel.
Prevention:
Please refer to the Resolution section herein for product-specific information from Nortel.
Mitigation:
Please refer to the US-CERT link in the Source section for mitigation information for the various vulnerabilities addressed by the US-CERT advisory. Please refer to the Resolution section herein for product-specific information from Nortel.
Risk:
Please refer to the US-CERT link in the Source section for additional information about the risks of the various vulnerabilities addressed by the US-CERT advisory. Please refer to the Resolution section of this bulletin for product-specific information from Nortel.
Resolution:
1) The following Nortel Generally Available products are potentially vulnerable to the security issue outlined in the US-CERT Advisory for Clientless SSL VPN Security Issues. Please refer to product-specific text below for instructions on how to proceed.
CallPilot - 201i, 202i, 600r, 703t, 1002rp, 1005r
. Customers should avoid browsing other web sites while logged in securely to CallPilot Manager or My CallPilot.
2) The following Nortel Generally Available products are not vulnerable to the security issue outlined in the US-CERT Advisory for Clientless SSL VPN Security Issues. Please refer to product-specific information below for any further instructions.
BCM - BCM50, BCM200, BCM400, BCM450, BCM1000, SRG50, SRG200, SRG400
. The BCM and BCM-based SRG is not impacted by Clientless SSL VPN products that break web browser's
domain-based security models issue, as the BCM / SRG models do not have a clientless SSL VPN solution. Contact Center - CCT
. Contact Center portfolio products have no dependency on any affected Clientless SSL VPN products and the
vulnerability is not applicable to any Contact Center portfolio products. Contact Center - Agent Greeting
. Contact Center portfolio products have no dependency on any affected Clientless SSL VPN products and the
vulnerability is not applicable to any Contact Center portfolio products. Contact Center - Contact Recording, Quality Monitoring
. Contact Center portfolio products have no dependency on any affected Clientless SSL VPN products and the
vulnerability is not applicable to any Contact Center portfolio products. Contact Center - Multimedia Agent Desktop Display, CCMM, Outbound
. Contact Center portfolio products have no dependency on any affected Clientless SSL VPN products and the
vulnerability is not applicable to any Contact Center portfolio products. Contact Center - Manager CCMA, CCMS, Express, NCC
. Contact Center portfolio products have no dependency on any affected Clientless SSL VPN products and the
vulnerability is not applicable to any Contact Center portfolio products.
Page: 2 of 9
NORTEL ENTERPRISE RESPONSE TO VU#261869: CLIENTLESS SSL VPN SECURITY ISSUE 2009009920, REV 1
Contact Center - Remote Agent Observe
. Contact Center portfolio products have no dependency on any affected Clientless SSL VPN products and the
vulnerability is not applicable to any Contact Center portfolio products. Call Center - Symposium Agent, TAPI Server
. Contact Center portfolio products have no dependency on any affected Clientless SSL VPN products and the
vulnerability is not applicable to any Contact Center portfolio products. ENSM - Configuration & Orchestration Manager (COM)
. This issue is not product specific (COM) and impacts all web applications. We recommend the remediation
workaround for how to manage your SSL VPN to overcome or limit this issue. Enterprise NMS - ENMS
. ENMS application is not truly a browser based application though it can be accessed as an applet in the browser.
Nortel recommends users to access ENMS as the desktop or Java client level - i.e. not to use the applet version. Enterprise VoIP - TM-CS1000
. TM is not impacted by the Clientless SSL VPN products break web browser's domain-based security models, as this is
not applicable to TM. Customers may choose to follow the potential workarounds as published by US-CERT. Enterprise VoIP - CS1000M, CS1000S
. The CS1000 is not impacted by the Clientless SSL VPN products break web browser's domain-based security models,
because it does not use any clientless SSL. Ethernet Routing Switch - 1424, 1612, 1624, 1648
. The product does not offer an SSL VPN service
Ethernet Routing Switch - 55xx, 56xx
. There is no solution for this problem on 5600 itself. Customer may implement the mitigating solutions as per the
US-CERT Notification. Ethernet Routing Switch - 8300, 8600, 8661
. By design, the backend session cookie is maintained on the VPN Gateway and is not exposed to the user side of the connection.
VPN Gateway - 3050, 3070
. By design, the backend session cookie is maintained on the VPN Gateway and is not exposed to the user side of the
connection. Messaging - MSM Mail System, Meridian Mail Compact Opt., Meridian Mail EC11, Meridian Mail MP, Meridian Mail Mod.
Option, Meridian Mail Modular EC, Meridian Mail Modular GP, Meridian Mail NT/XT, Meridian Option 11 Mail
. Meridian Mail does not use browsers, web servers or SSL
Norstar Applications - PC Console, Personal Productivity Suite
. Clientless SSL is not used on any Norstar products. Hence, the Norstar KSUs and Norstar applications are not
affected by the Clientless SSL VPN products break web browser's domain-based security models potential vulnerability. Norstar Core - 3X8, CICS, MICS
. Clientless SSL is not used on any Norstar products. Hence, the Norstar KSUs and Norstar applications are not
affected by the Clientless SSL VPN products break web browser's domain-based security models potential vulnerability. Norstar Messaging - Desktop Messaging, Flash ACD, Norstar Voice Mail
. Clientless SSL is not used on any Norstar products. Hence, the Norstar KSUs and Norstar applications are not
affected by the Clientless SSL VPN products break web browser's domain-based security models potential vulnerability.
Page: 3 of 9
Loading...
+ 6 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use