U.S. CERT Issues Advisory on VPN Apps -- Redmondmag.com

U.S. CERT Issues Advisory on VPN Apps

By Kurt Mackie
04/12/2019

The United States Computer Emergency Readiness Team (U.S. CERT) issued an alert this week about the improper storage of session data by virtual private network (VPN) applications, which could get leveraged by attackers.

VPNs are used to enable secure network connections. They're used in scenarios where remote workers might need to access corporate networks, for instance. However, researchers at the National Defense Information and Sharing Analysis Center have found that "multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files," according to the alert.

Attackers could use those vulnerabilities to gain access to network applications, the alert explained:

If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

The researchers detected cookie log file storage issues in Palo Alto Networks GlobalProtect Agent 4.1.0 products for Windows and Macs, as well as Pulse Secure Connect Secure products "prior to 8.1R14, 8.2, 8.3R6, and 9.0R2."

Those products, as well as the Cisco AnyConnect 4.7.x products and earlier, also stored VPN session cookies insecurely in memory, according to the researchers.

Not all VPN application products have these cookie storage vulnerabilities, but the researchers suggested it was a generic problem for most of them. The alert included a list of vendors, along with their VPN application vulnerability status. About 237 vendors were notified about the software vulnerabilities, but few were listed in the advisory as having responded at press time.

Palo Alto Networks did issue an advisory on the topic, recommending a software upgrade. It noted that "the endpoint would already have to be compromised for this vulnerability to work."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.