U.S. CERT Issues Advisory on VPN Apps

The United States Computer Emergency Readiness Team (U.S. CERT) issued an alert this week about the improper storage of session data by virtual private network (VPN) applications, which could get leveraged by attackers.

VPNs are used to enable secure network connections. They're used in scenarios where remote workers might need to access corporate networks, for instance. However, researchers at the National Defense Information and Sharing Analysis Center have found that "multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files," according to the alert.

Attackers could use those vulnerabilities to gain access to network applications, the alert explained:

If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

The researchers detected cookie log file storage issues in Palo Alto Networks GlobalProtect Agent 4.1.0 products for Windows and Macs, as well as Pulse Secure Connect Secure products "prior to 8.1R14, 8.2, 8.3R6, and 9.0R2."

Those products, as well as the Cisco AnyConnect 4.7.x products and earlier, also stored VPN session cookies insecurely in memory, according to the researchers.

Not all VPN application products have these cookie storage vulnerabilities, but the researchers suggested it was a generic problem for most of them. The alert included a list of vendors, along with their VPN application vulnerability status. About 237 vendors were notified about the software vulnerabilities, but few were listed in the advisory as having responded at press time.

Palo Alto Networks did issue an advisory on the topic, recommending a software upgrade. It noted that "the endpoint would already have to be compromised for this vulnerability to work."

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Bolsters Windows IoT with NXP and SQL Server Support

    Microsoft's Internet of Things (IoT) product line is continuing to grow, with a few new developments highlighted this week.

  • Tamper Protection Now Available to Microsoft Defender ATP Subscribers

    The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.