Vulnerability title: Remote SSL VPN Endpoint Identity Not Verified In Viprinet Multichannel VPN Router 300 CVE: CVE-2014-9754, CVE-2014-9755 Vendor: Viprinet Product: Multichannel VPN Router 300 Affected version: 2013070830/2013080900 Fixed version: 2014013131/2014020702 Reported by: Tim Brown Details: In order for the hardware VPN client on the affected device to establish a VPN channel it connects to the remote VPN endpoint and initiates an SSL connection using TLSv1.1. It then initiates the following exchange (protocol version 2): client> VERSION 3 server> ERROR client> VERSION 2 server> +OK Protocol version 2 chosen client> TUNNEL test server> +OK Tunnel chosen client> PASS test server> +OK You are now authenticated client> CHANNEL test server> +OK Channel selected client> DATA The hardware VPN client does not validate the remote VPN endpoint identity (through the checking of the endpoint’s SSL key) before initiating the exchange. In this example, we perform a downgrade attack from protocol version 3 to protocol version 2, however as noted in the impact, version 3 of the protocol is similarly affected. Note: MITRE have assigned CVE-2014-9754 to reference the missing certificate validation and CVE-2014-9755 to reference the protocol downgrade attack. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-9754-cve-2014-9755/ Copyright: Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.