This was getting some discussion on teh twitter today, but the list of affected VPN vendors was substantial enough, you might want peek at your own configs. The hyperbole might not yet be warranted, but it might be worth a peek under your hood.

The description of the vuln implies potentially that some VPN vendors’ default settings might make attacks more viable. taken from  US-CERT Vulnerability Note VU#261869:

Vulnerability Note VU#261869

Clientless SSL VPN products break web browser domain-based security models

Overview

Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Later in the bulletin, a mention of the potential exploit method:

By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02.

There’s a broad variety of affected software- and appliance-based VPNs in the CERT list, it’s certainly worth a call to your vendor to be certain you’re using the safest possible configs for your VPN’s environment. Read full bulletin here.