=====================================================================
                                      CERT-Renater

                           Note d'Information No. 2007/VULN077
_____________________________________________________________________

DATE                      : 02/03/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell Access Management 3
                                                          SSLVPN Server.

======================================================================

https://secure-support.novell.com/KanisaPlatform/Publishing/648/3429077_f.SAL_Public.html
http://download.novell.com/Download?buildid=Siiw_-VRqLE~
______________________________________________________________________

SSLVPN vulnerability bypassing security policies

This document (3429077) is provided subject to the disclaimer at the end of this
document.
environment

Novell Access Management 3 SSLVPN Server
situation
After a workstation connects to the sslvpn server, and downloads the ActiveX
controls in IE, a policy.txt file is created in the users directory (Windows)
that contains the rules indicating what traffic and ports can go over the VPN.

If a user makes this file read-only, disconnect, and then edits it manually
before reconnecting, that user can get access to any resources on the coporate
LAN that would normally be prohibited. For example, changing the file to include

sslize {
from : 0.0.0.0 / 0
to :10.0.0.0/255.0.0.0
port : 80
protocol :tcp
action :allow
};

will give the user access to all webservers on the corporate LAN. NO traffic
access checking is done on the SSLVPN server
resolution
Apply am3sslvpn.tar.gz from support.novell.com
status
Security Alert
additional notes

document
Document ID:	3429077
Creation Date:	2007-03-01 16:42:05.0
Modified Date:	2007-03-01 09:40:31.0
Novell Product:	Access Manager
disclaimer

The Origin of this information may be internal or external to Novell. Novell
makes all reasonable efforts to verify this information. However, the
information provided in this document is for your information only. Novell makes
no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective
owners. Consult your product manuals for complete trademark information.

======================================================================

             =========================================================
             Les serveurs de référence du CERT-Renater
             http://www.urec.fr/securite
             http://www.cru.fr/securite
             http://www.renater.fr
             =========================================================
             + CERT-RENATER          | tel : 01-53-94-20-44          +
             + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
             + 75013 Paris           | email: certsvp@renater.fr     +
             =========================================================