Tuesday, December 1, 2009

CERT spreads marketing BS and misinformation

The US-CERT issued a bunch of new notices today.  And one is BS.  Not complete BS, there is a real problem with the way SOME web-based SSL VPNs break cross-domain security.

I have three primary problems with this, starting with the title, "Clientless SSL VPN products break web browser domain-based security models".  Of course, there is no such thing as a clientless VPN, there are just systems which install the VPN client in your browser (sometimes without user interaction), and a few just use the browser itself as the client.  Most of what I see called "clientless" are actually installing a ActiveX, Java, or other client in the browser.  "Clientless VPN" is a nonsensical marketing term which has no place in a technical discussion.

Next problem, the list of "affected systems" includes systems which are clearly not affected- and while their status is listed as "unknown", the implication is that they may be vulnerable.  For the amount of vetting that went into the list, they could have included Microsoft Word and listed it as "unknown" status.  For example, OpenVPN is listed, but it is an installed application, not web-based- and unless they have completely butchered the description there is no way OpenVPN is vulnerable to this.  Also entertaining is the listing of several Linux distributions, most tagged as "unknown" status, with the notable exception of Red Hat, which is listed as "Not Vulnerable".  Odd they would commit, or even list OSes given the multitude of VPNs which can be configured on a Linux.  Wait, not odd, useless and misleading.

Finally, and most critically, by the time we've peeled back the obvious mistakes and fluff, the full nature and extent of the vulnerability is not clear.  After a bit of de-obfuscation and digging, you can probably figure it out.  Silly me, I thought that was what CERT was supposed to do for us when they issued these notices.

There are two posts on the topic over at Securosis that are worth a read, the first post isn't great, but the comments are.  The second one is a good clarification of the first.