{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/261869#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview ###\r\nClientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.\r\n\r\n### Description ###\r\nWeb browsers enforce the same origin policy to prevent one site's active content (such as JavaScript) from accessing or modifying another site's data.  For instance, active content hosted at \r\n\r\n* http://<example.com>/page1.html can access DOM objects on \r\n* http://<example.com>/page2.html, but cannot access objects hosted at \r\n* http://<example.net>/page.html\r\n\r\nMany clientless SSL VPN products retrieve content from different sites, then present that content as coming from the SSL VPN, effectively circumventing browser same origin restrictions.\r\n\r\nClientless SSL VPNs provide browser-based access to internal and external resources without the need to install a traditional VPN client. Typically, these web VPNs are used to access intranet sites (such as an internal webmail server), but many have more capabilities, such as providing access to internal fileshares and remote desktop capabilities. To connect to a VPN, a web browser is used to authenticate to the web VPN, then the web VPN retrieves and presents the content from the requested pages.\r\n\r\nWeb VPN servers interact with clients using a process similar to what is described below:\r\n\r\n1. The user presents credentials to the web VPN using a web browser. The authentication can be done through username and password submission, or can involve multi-factor authentication.\r\n2. The web VPN authenticates the user and assigns an ID to the session, which is sent to the user's browser in the form of a cookie.\r\n3. The user can then browse internal resources, such as a webmail server or intranet webserver. URLs as viewed by the user's web browser may be similar to https://<webvpn.example.com>/www.intranet.example.com.\r\n\r\nAs the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN.  For example, a link to http://<www.intranet.example.com>/mail.html becomes https://<webvpn.example.com>/www.intranet.example.com/mail.html.  Cookies set by the requested webserver may be converted into globally unique cookies before being passed to the user's browser, which prevents collision between two identically named cookies from different requested domains.  For example, a sessionid cookie set by intranet.example.com could be renamed to intranet.example.com_sessionid before it is sent from the web VPN to the user's browser .  Additionally, the web VPN may replace references to specific HTML DOM objects, such as document.cookie.  These DOM objects may be replaced with script that returns the value for that DOM object as if it had been accessed in the context of the requested site's domain.  \r\n\r\nIf an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user's cookies for the web VPN domain.  Included in this document.cookie are the web VPN session ID cookie itself and any globally unique cookies set by sites requested through the web VPN.  The attacker may then use these cookies to hijack the user's VPN session and any other sessions accessed through the web VPN that rely on cookies for session identification.\r\n\r\nAdditionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site.  The hidden frame could log all keys pressed in the second, benign frame and submit these keypresses as parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN syntax.\r\n\r\nNote that if the VPN server is allowed to connect to arbitrary Internet sites, these vulnerabilities can be exploited by any site on the Internet. \r\n\r\n\t\r\n### Impact ###\r\n\t\r\nBy convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN.  This effectively eliminates same origin policy restrictions in all browsers.   For example, the attacker may be able to capture keystrokes while a user is interacting with a web page.  Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. \r\n\r\nUPDATE: Many services are still improperly configuring these devices, enabling the vulnerability. Searches across Shodan, Censys, and Shadowserver have revealed devices vulnerable to this attack. Additionally, Threat Actors (TAs) still repeatedly perform mass scans for vulnerable devices (https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity) and share details on potentially vulnerable devices for others to attack on platforms such as Telegram.\r\n\r\n### Solution ###\r\n\t\r\nThere is no solution to this problem. Depending on their specific configuration and location in the network these devices may be impossible to operate securely. Administrators are encouraged to view the below workarounds and see the systems affected section of this document for more information about specific vendors.\r\n\r\n#### Limit URL rewriting to trusted domains ####\r\nIf supported by the VPN server, URLs should only be rewritten for trusted internal sites. All other sites and domains should not be accessible through the VPN server.Since an attacker only needs to convince a user to visit web page being viewed through the VPN to exploit this vulnerability, this workaround is likely to be less effective if there are a large number of hosts or domains that can be accessed through the VPN server.  When deciding which sites can be visited through use of the VPN server, it is important to remember that all allowed sites will operate within the same security context in the web browser.\r\n\r\n#### Limit VPN server network connectivity to trusted domains ####\r\n\r\nIt may be possible to configure the VPN device to only access specific network domains. This restriction may also be possible by using firewall rules.\r\n\r\n#### Disable URL hiding features ####\r\n\r\nObfuscating URLs hides the destination page from the end user. This feature can be used by an attacker to hide the destination page of any links they send. For example, https://<vpn.example.com>/attack-site.com vs https://<vpn.example.com>/778928801.\r\n\r\n\r\n### Acknowledgements ###\r\nThis issue was discovered by David Warren and Ryan Giobbi. Much of the original research into this issue was done by Michal Zalewski and Mike Zusman.This document was written by David Warren and Ryan Giobbi.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500 This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern. Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection. Information about CSD and AnyConnect can be found at: http://www.cisco.com/go/sslvpn.","title":"Vendor statment from Cisco"},{"category":"other","text":"Cisco has published information about this issue at: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500\nhttp://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589\nhttp://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589\nhttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589\nhttp://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982\nhttp://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707\nhttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849","title":"CERT/CC comment on Cisco notes"},{"category":"other","text":"Regarding US-CERT Vulnerability Note VU# 261869, AEP Netilla currently mitigates exposure because of its secure design. By default, AEP Netilla is “locked down” meaning all access to and from Netilla is denied. All types of access must be explicitly granted. Thus, when a Web reverse proxy application is configured on Netilla, users cannot access the application and Netilla will not allow the connection to the application until policies that grant access are created. Details such as whether or not to allow cookies are part of the connection access policy. Because all access to and from Netilla is denied by default, any attempt to direct a user to an attacker created web page will be denied. Netilla is also protected from the other method described in the Vulnerability Note where user key strokes are trapped in a hidden frame. When that frame attempts to send out the captured data, the data is re-written to go to Netilla where Netilla's policy checking engine will drop the data. AEP recommends that Netilla customers only add access rules for known trusted sites. If customers require access to servers outside of their control AEP recommends that they only configure policy rules that grant the absolute minimal access needed and can further mitigate the risk with these application policy settings: Cookie Support = No; JavaScript Handling = Delete; Vbscript Handling = Delete; and Host Name Hiding, a system-wide configuration setting, should be left at the default option = Do Not Hide.","title":"Vendor statment from aep NETWORKS (Inactive)"},{"category":"other","text":"CERT/CC has listed AEP Networks as vulnerable because certain configurations are subject to the issues described in the note. Administrators are encouraged to review their deployment for applicability.","title":"CERT/CC comment on aep NETWORKS (Inactive) notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from SonicWall"},{"category":"other","text":"SonicWall has published the following information in response to this issue: Main Support Page: http://www.sonicwall.com/us/Support.html\nSonicWALL E-Class SSL VPN: http://www.sonicwall.com/us/2123_14882.html\nSonicWALL SSL VPN: http://www.sonicwall.com/us/2123_14883.html Users are encouraged to review these bulletins and apply the workarounds they describe.","title":"CERT/CC comment on SonicWall notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Nortel Networks Inc."},{"category":"other","text":"Nortel has published the following advisory: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=984744","title":"CERT/CC comment on Nortel Networks Inc. notes"},{"category":"other","text":"Please see Juniper Networks Product Security Notification PSN-2009-11-580: https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2009-11-580&viewMode=view","title":"Vendor statment from Juniper Networks"},{"category":"other","text":"Juniper has also published the following information: Juniper Networks recommendations for mitigating VU#261869: http://kb.juniper.net/KB15799 Users are encouraged to review this knowledge base article and apply the workarounds they describe.","title":"CERT/CC comment on Juniper Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from FreeBSD"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on FreeBSD notes"},{"category":"other","text":"Please See Palo Alto Advisory PAN-SA-2025-0005","title":"Vendor statment from Palo Alto Networks"},{"category":"other","text":"If customer chooses co-host resources of a different trust (different web applications and ssl-vpn internal application/portal) this situation can arise. Although there is another choice that customer can make - use a separate domain for each application. The trade-off is cost vs security - using dedicated domain names, requires wild-card certificates, and multiple dns registrations. We encourage our customers to go with this solution, but as always customers have the right to choose cost of deployment over security. While we agree with the less secure option this may pose an issue in certain deployments. With the more secure option available we feel that this is not a vulnerability in our products.","title":"Vendor statment from Microsoft"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Microsoft notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Zyxel"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Zyxel notes"},{"category":"other","text":"The Kerio Clientless SSL-VPN is intended to access files on the network where it is deployed. It by design does not work as a reverse HTTP proxy and it does not create nor modify HTTP cookies of other web services. As such it is not affected by the described vulnerability.","title":"Vendor statment from Kerio Technologies"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Kerio Technologies notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Citrix"},{"category":"other","text":"Citrix has published the following article: http://support.citrix.com/article/CTX123610","title":"CERT/CC comment on Citrix notes"},{"category":"other","text":"Sun Java System Portal Server Secure Remote Access can be configured to be not vulnerable to CVE-2009-2631. Secure Remote Access Gateway offers client-less SSL VPN functionality. It rewrites the URLs only for explicitly configured domains and subdomains. Hence it is not vulnerable to attacks launched from the Internet. Access to domains or hosts within the intranet can be further controlled by Allow/Deny access list to restrict access to only trusted internal sites.","title":"Vendor statment from Sun Microsystems Inc. (Inactive)"},{"category":"other","text":"CERT/CC has listed Sun Microsystems as vulnerable because certain configurations are subject to the issues described in the note.\r\nSun has published the following information: http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable","title":"CERT/CC comment on Sun Microsystems Inc. (Inactive) notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Force10 Networks"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Force10 Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Debian GNU/Linux"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Debian GNU/Linux notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from IP Filter"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on IP Filter notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from OpenVPN Technologies"},{"category":"other","text":"The web-based OpenVPN ALS (formerly Adito) could be affected by these issues when using a replacement proxy forward or multiple reverse proxy forwards. The scope of VPN session cookie stealing can be limited by enabling the Verify Client Address option. Tunneled web forwards are not affected. Please note that OpenVPN ALS is separate from the traditional TUN/TAP client-based OpenVPN, which is not affected by this issue.","title":"CERT/CC comment on OpenVPN Technologies notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Watchguard"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Watchguard notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Clavister"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Clavister notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Symantec"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Symantec notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Engarde Secure Linux"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Engarde Secure Linux notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from AT&T"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on AT&T notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Sony"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Sony notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Apple"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Apple notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from F5 Networks"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on F5 Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from m0n0wall"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on m0n0wall notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Intoto (Inactive)"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Intoto (Inactive) notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from IBM eServer"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on IBM eServer notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Mandriva S. A."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Mandriva S. A. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Process Software"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Process Software notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Wind River"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Wind River notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Global Technology Associates Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Global Technology Associates Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Borderware Technologies"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Borderware Technologies notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Conectiva Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Conectiva Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from TippingPoint Technologies Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on TippingPoint Technologies Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from NETGEAR"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on NETGEAR notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from IBM"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on IBM notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Gentoo Linux"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Gentoo Linux notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from NEC Corporation"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on NEC Corporation notes"},{"category":"other","text":"Stonesoft has published a Security Advisory on this issue. The advisory is available at Stonesoft's web site: http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html","title":"Vendor statment from Stonesoft"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Stonesoft notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from MultiTech"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on MultiTech notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Snort"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Snort notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Intel"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Intel notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Infoblox"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Infoblox notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Luminous Networks"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Luminous Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Red Hat"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Red Hat notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Turbolinux"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Turbolinux notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from DragonFly BSD Project"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on DragonFly BSD Project notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Radware"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Radware notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Netfilter"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Netfilter notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Peplink"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Peplink notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Slackware Linux Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Slackware Linux Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from 3com Inc. (Inactive)"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on 3com Inc. (Inactive) notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from MontaVista Software Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on MontaVista Software Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Openwall GNU/*/Linux"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Openwall GNU/*/Linux notes"},{"category":"other","text":"ISS is NOT affected by this issue.","title":"Vendor statment from Internet Security Systems, Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Internet Security Systems, Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Webmin"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Webmin notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Hitachi"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Hitachi notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from ACCESS"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on ACCESS notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Fedora Project"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Fedora Project notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Computer Associates"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Computer Associates notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Belkin Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Belkin Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Fujitsu Europe"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Fujitsu Europe notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Check Point"},{"category":"other","text":"Checkpoint has posted the following information: https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk43265","title":"CERT/CC comment on Check Point notes"},{"category":"other","text":"Q1 is not affected by VU#261869","title":"Vendor statment from Q1 Labs"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Q1 Labs notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Foundry Brocade"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Foundry Brocade notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Sourcefire"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Sourcefire notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from SafeNet"},{"category":"other","text":"SafeNet has issued Security Bulletin 111009-1, \"SafeWord 2008 -- SecureWire Access Gateway SSL VPN Vulnerability.\"\nThis document can be viewed from the SafeNet technical support website.","title":"CERT/CC comment on SafeNet notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Nokia"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Nokia notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from NetApp"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on NetApp notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Alcatel-Lucent Enterprise"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Alcatel-Lucent Enterprise notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from NetBSD"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on NetBSD notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Redback Networks Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Redback Networks Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Hewlett Packard Enterprise"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Hewlett Packard Enterprise notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on SUSE Linux notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Avaya"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Avaya notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from IP Infusion Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on IP Infusion Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from eSoft (Inactive)"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on eSoft (Inactive) notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from U4EA Technologies Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on U4EA Technologies Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Silicon Graphics Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Silicon Graphics Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Cray Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Cray Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Charlotte's Web Networks (Inactive)"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Charlotte's Web Networks (Inactive) notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from McAfee"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on McAfee notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Novell"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Novell notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Vyatta"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Vyatta notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Ubuntu"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Ubuntu notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Barracuda Networks"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Barracuda Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Blackberry QNX"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Blackberry QNX notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Extreme Networks"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Extreme Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Securework South Africa Ltd"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Securework South Africa Ltd notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from SmoothWall"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on SmoothWall notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Fortinet"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Fortinet notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Unisys Corporation"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Unisys Corporation notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Soapstone Networks"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Soapstone Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from VMware"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on VMware notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Dell EMC"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Dell EMC notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from D-Link Systems Inc."},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on D-Link Systems Inc. notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from OpenBSD"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on OpenBSD notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from The SCO Group"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on The SCO Group notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Enterasys Networks"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Enterasys Networks notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Ericsson"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Ericsson notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Quagga"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Quagga notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/261869"},{"url":"https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript","summary":"https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript"},{"url":"https://developer.mozilla.org/en/DOM/document.cookie","summary":"https://developer.mozilla.org/en/DOM/document.cookie"},{"url":"http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy","summary":"http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy"},{"url":"http://www.owasp.org/index.php/Category:OWASP_Cookies_Database","summary":"http://www.owasp.org/index.php/Category:OWASP_Cookies_Database"},{"url":"http://www.owasp.org/index.php/Testing_for_Session_Management_Schema_(OWASP-SM-001)#Black_Box_Testing_and_Examples","summary":"http://www.owasp.org/index.php/Testing_for_Session_Management_Schema_(OWASP-SM-001)#Black_Box_Testing_and_Examples"},{"url":"http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html#wp1404057","summary":"http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html#wp1404057"},{"url":"http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html","summary":"http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html"},{"url":"http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046886.html","summary":"http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046886.html"},{"url":"http://www.blackhat.com/presentations/bh-usa-08/Zusman/BH_US_08_Zusman_SSL_VPN_Abuse.pdf","summary":"http://www.blackhat.com/presentations/bh-usa-08/Zusman/BH_US_08_Zusman_SSL_VPN_Abuse.pdf"},{"url":"https://security.paloaltonetworks.com/PAN-SA-2025-0005","summary":"https://security.paloaltonetworks.com/PAN-SA-2025-0005"},{"url":"http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589","summary":"Reference(s) from vendor \"Cisco\""},{"url":"http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589","summary":"Reference(s) from vendor \"Cisco\""},{"url":"http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589","summary":"Reference(s) from vendor \"Cisco\""},{"url":"http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982","summary":"Reference(s) from vendor \"Cisco\""},{"url":"http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707","summary":"Reference(s) from vendor \"Cisco\""},{"url":"http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849","summary":"Reference(s) from vendor \"Cisco\""},{"url":"https://security.paloaltonetworks.com/PAN-SA-2025-0005","summary":"Reference(s) from vendor \"Palo Alto Networks\""},{"url":"http://support.citrix.com/article/CTX123610","summary":"Reference(s) from vendor \"Citrix\""},{"url":"http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable","summary":"Reference(s) from vendor \"Sun Microsystems Inc. (Inactive)\""}],"title":"Clientless SSL VPN products break web browser domain-based security models","tracking":{"current_release_date":"2025-06-16T21:01:16+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#261869","initial_release_date":"2009-11-30 00:00:00+00:00","revision_history":[{"date":"2025-06-16T21:01:16+00:00","number":"1.20250616210116.192","summary":"Released on 2025-06-16T21:01:16+00:00"}],"status":"final","version":"1.20250616210116.192"}},"vulnerabilities":[{"title":"Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks.","notes":[{"category":"summary","text":"Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks.  NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design."}],"cve":"CVE-2009-2631","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#261869"}],"product_status":{"known_affected":["CSAFPID-9f7ac82e-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f7af268-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f7ba028-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f7c1116-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f7c5bd0-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f7d0274-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f7d9a7c-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f80ff46-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f837802-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f86ed66-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f88f3a4-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f89ee08-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f8dd400-38a0-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-9f7a9bba-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f7bceea-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f841cd0-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f84b65e-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f85bacc-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f86ac7a-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f8725a6-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f87c77c-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f8823e8-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f891f5a-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f8d3644-38a0-11f1-8422-122e2785dc9f","CSAFPID-9f8eaf74-38a0-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Hewlett Packard Enterprise","product":{"name":"Hewlett Packard Enterprise Products","product_id":"CSAFPID-9f7a520e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"McAfee","product":{"name":"McAfee Products","product_id":"CSAFPID-9f7a9bba-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Palo Alto Networks","product":{"name":"Palo Alto Networks Products","product_id":"CSAFPID-9f7ac82e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-9f7af268-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zyxel","product":{"name":"Zyxel Products","product_id":"CSAFPID-9f7b40f6-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-9f7ba028-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Kerio Technologies","product":{"name":"Kerio Technologies Products","product_id":"CSAFPID-9f7bceea-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Citrix","product":{"name":"Citrix Products","product_id":"CSAFPID-9f7c1116-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Sun Microsystems Inc. (Inactive)","product":{"name":"Sun Microsystems Inc. (Inactive) Products","product_id":"CSAFPID-9f7c5bd0-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Force10 Networks","product":{"name":"Force10 Networks Products","product_id":"CSAFPID-9f7c9c8a-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Debian GNU/Linux","product":{"name":"Debian GNU/Linux Products","product_id":"CSAFPID-9f7cdae2-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"aep NETWORKS (Inactive)","product":{"name":"aep NETWORKS (Inactive) Products","product_id":"CSAFPID-9f7d0274-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"IP Filter","product":{"name":"IP Filter Products","product_id":"CSAFPID-9f7d59e0-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"OpenVPN Technologies","product":{"name":"OpenVPN Technologies Products","product_id":"CSAFPID-9f7d9a7c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Watchguard","product":{"name":"Watchguard Products","product_id":"CSAFPID-9f7ddb0e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Clavister","product":{"name":"Clavister Products","product_id":"CSAFPID-9f7e3842-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Symantec","product":{"name":"Symantec Products","product_id":"CSAFPID-9f7e8a04-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Engarde Secure Linux","product":{"name":"Engarde Secure Linux Products","product_id":"CSAFPID-9f7ed37e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AT&T","product":{"name":"AT&T Products","product_id":"CSAFPID-9f7f0a7e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Sony","product":{"name":"Sony Products","product_id":"CSAFPID-9f7f3468-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Apple","product":{"name":"Apple Products","product_id":"CSAFPID-9f7f6578-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-9f7f9cdc-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"m0n0wall","product":{"name":"m0n0wall Products","product_id":"CSAFPID-9f7fda08-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intoto (Inactive)","product":{"name":"Intoto (Inactive) Products","product_id":"CSAFPID-9f8010cc-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"IBM eServer","product":{"name":"IBM eServer Products","product_id":"CSAFPID-9f804cd6-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Mandriva S. A.","product":{"name":"Mandriva S. A. Products","product_id":"CSAFPID-9f8081d8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Process Software","product":{"name":"Process Software Products","product_id":"CSAFPID-9f80ad02-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SonicWall","product":{"name":"SonicWall Products","product_id":"CSAFPID-9f80ff46-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Wind River","product":{"name":"Wind River Products","product_id":"CSAFPID-9f816f8a-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Global Technology Associates Inc.","product":{"name":"Global Technology Associates Inc. Products","product_id":"CSAFPID-9f819992-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Borderware Technologies","product":{"name":"Borderware Technologies Products","product_id":"CSAFPID-9f81cb60-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Conectiva Inc.","product":{"name":"Conectiva Inc. Products","product_id":"CSAFPID-9f821296-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"TippingPoint Technologies Inc.","product":{"name":"TippingPoint Technologies Inc. Products","product_id":"CSAFPID-9f824c02-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NETGEAR","product":{"name":"NETGEAR Products","product_id":"CSAFPID-9f828bc2-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"IBM","product":{"name":"IBM Products","product_id":"CSAFPID-9f82ccb8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Gentoo Linux","product":{"name":"Gentoo Linux Products","product_id":"CSAFPID-9f8302dc-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NEC Corporation","product":{"name":"NEC Corporation Products","product_id":"CSAFPID-9f834116-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Stonesoft","product":{"name":"Stonesoft Products","product_id":"CSAFPID-9f837802-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MultiTech","product":{"name":"MultiTech Products","product_id":"CSAFPID-9f839fa8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Snort","product":{"name":"Snort Products","product_id":"CSAFPID-9f83d16c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-9f841cd0-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Infoblox","product":{"name":"Infoblox Products","product_id":"CSAFPID-9f8445e8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Luminous Networks","product":{"name":"Luminous Networks Products","product_id":"CSAFPID-9f848d00-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-9f84b65e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Turbolinux","product":{"name":"Turbolinux Products","product_id":"CSAFPID-9f84f4f2-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"DragonFly BSD Project","product":{"name":"DragonFly BSD Project Products","product_id":"CSAFPID-9f852b02-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Radware","product":{"name":"Radware Products","product_id":"CSAFPID-9f8566a8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Netfilter","product":{"name":"Netfilter Products","product_id":"CSAFPID-9f85922c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Peplink","product":{"name":"Peplink Products","product_id":"CSAFPID-9f85bacc-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Slackware Linux Inc.","product":{"name":"Slackware Linux Inc. Products","product_id":"CSAFPID-9f85f2f8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"3com Inc. (Inactive)","product":{"name":"3com Inc. (Inactive) Products","product_id":"CSAFPID-9f8631be-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MontaVista Software Inc.","product":{"name":"MontaVista Software Inc. Products","product_id":"CSAFPID-9f865c3e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Openwall GNU/*/Linux","product":{"name":"Openwall GNU/*/Linux Products","product_id":"CSAFPID-9f86851a-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Internet Security Systems, Inc.","product":{"name":"Internet Security Systems, Inc. Products","product_id":"CSAFPID-9f86ac7a-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Nortel Networks Inc.","product":{"name":"Nortel Networks Inc. Products","product_id":"CSAFPID-9f86ed66-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Webmin","product":{"name":"Webmin Products","product_id":"CSAFPID-9f8725a6-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Hitachi","product":{"name":"Hitachi Products","product_id":"CSAFPID-9f875490-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ACCESS","product":{"name":"ACCESS Products","product_id":"CSAFPID-9f877b96-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fedora Project","product":{"name":"Fedora Project Products","product_id":"CSAFPID-9f87c77c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Computer Associates","product":{"name":"Computer Associates Products","product_id":"CSAFPID-9f8823e8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Belkin Inc.","product":{"name":"Belkin Inc. Products","product_id":"CSAFPID-9f8854b2-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-9f88a494-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Check Point","product":{"name":"Check Point Products","product_id":"CSAFPID-9f88f3a4-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Q1 Labs","product":{"name":"Q1 Labs Products","product_id":"CSAFPID-9f891f5a-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Foundry Brocade","product":{"name":"Foundry Brocade Products","product_id":"CSAFPID-9f896708-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Sourcefire","product":{"name":"Sourcefire Products","product_id":"CSAFPID-9f89ac04-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SafeNet","product":{"name":"SafeNet Products","product_id":"CSAFPID-9f89ee08-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Nokia","product":{"name":"Nokia Products","product_id":"CSAFPID-9f8a481c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetApp","product":{"name":"NetApp Products","product_id":"CSAFPID-9f8a88f4-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Alcatel-Lucent Enterprise","product":{"name":"Alcatel-Lucent Enterprise Products","product_id":"CSAFPID-9f8ae100-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetBSD","product":{"name":"NetBSD Products","product_id":"CSAFPID-9f8b0dba-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Redback Networks Inc.","product":{"name":"Redback Networks Inc. Products","product_id":"CSAFPID-9f8b5cd4-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-9f8ba6da-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Avaya","product":{"name":"Avaya Products","product_id":"CSAFPID-9f8be51e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"IP Infusion Inc.","product":{"name":"IP Infusion Inc. Products","product_id":"CSAFPID-9f8c198a-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"eSoft (Inactive)","product":{"name":"eSoft (Inactive) Products","product_id":"CSAFPID-9f8c4edc-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"U4EA Technologies Inc.","product":{"name":"U4EA Technologies Inc. Products","product_id":"CSAFPID-9f8c8d34-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Silicon Graphics Inc.","product":{"name":"Silicon Graphics Inc. Products","product_id":"CSAFPID-9f8cb778-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cray Inc.","product":{"name":"Cray Inc. Products","product_id":"CSAFPID-9f8cdf64-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Charlotte's Web Networks (Inactive)","product":{"name":"Charlotte's Web Networks (Inactive) Products","product_id":"CSAFPID-9f8d066a-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Novell","product":{"name":"Novell Products","product_id":"CSAFPID-9f8d3644-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Vyatta","product":{"name":"Vyatta Products","product_id":"CSAFPID-9f8d6aba-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-9f8d9922-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Juniper Networks","product":{"name":"Juniper Networks Products","product_id":"CSAFPID-9f8dd400-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Barracuda Networks","product":{"name":"Barracuda Networks Products","product_id":"CSAFPID-9f8e1410-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Blackberry QNX","product":{"name":"Blackberry QNX Products","product_id":"CSAFPID-9f8e711c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Extreme Networks","product":{"name":"Extreme Networks Products","product_id":"CSAFPID-9f8eaf74-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Securework South Africa Ltd","product":{"name":"Securework South Africa Ltd Products","product_id":"CSAFPID-9f8ef9b6-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SmoothWall","product":{"name":"SmoothWall Products","product_id":"CSAFPID-9f8f4d6c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fortinet","product":{"name":"Fortinet Products","product_id":"CSAFPID-9f8f9506-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Unisys Corporation","product":{"name":"Unisys Corporation Products","product_id":"CSAFPID-9f8fd1e2-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Soapstone Networks","product":{"name":"Soapstone Networks Products","product_id":"CSAFPID-9f900b80-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"VMware","product":{"name":"VMware Products","product_id":"CSAFPID-9f90403c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Dell EMC","product":{"name":"Dell EMC Products","product_id":"CSAFPID-9f90a2ca-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"D-Link Systems Inc.","product":{"name":"D-Link Systems Inc. Products","product_id":"CSAFPID-9f90f1b2-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"OpenBSD","product":{"name":"OpenBSD Products","product_id":"CSAFPID-9f912c5e-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"The SCO Group","product":{"name":"The SCO Group Products","product_id":"CSAFPID-9f9171e6-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Enterasys Networks","product":{"name":"Enterasys Networks Products","product_id":"CSAFPID-9f91a33c-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ericsson","product":{"name":"Ericsson Products","product_id":"CSAFPID-9f91cc36-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Quagga","product":{"name":"Quagga Products","product_id":"CSAFPID-9f91f5f8-38a0-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"FreeBSD","product":{"name":"FreeBSD Products","product_id":"CSAFPID-9f924abc-38a0-11f1-8422-122e2785dc9f"}}]}}