U.S. CERT Issues Advisory on VPN Apps

The United States Computer Emergency Readiness Team (U.S. CERT) issued an alert this week about the improper storage of session data by virtual private network (VPN) applications, which could get leveraged by attackers.

VPNs are used to enable secure network connections. They're used in scenarios where remote workers might need to access corporate networks, for instance. However, researchers at the National Defense Information and Sharing Analysis Center have found that "multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files," according to the alert.

Attackers could use those vulnerabilities to gain access to network applications, the alert explained:

If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

The researchers detected cookie log file storage issues in Palo Alto Networks GlobalProtect Agent 4.1.0 products for Windows and Macs, as well as Pulse Secure Connect Secure products "prior to 8.1R14, 8.2, 8.3R6, and 9.0R2."

Those products, as well as the Cisco AnyConnect 4.7.x products and earlier, also stored VPN session cookies insecurely in memory, according to the researchers.

Not all VPN application products have these cookie storage vulnerabilities, but the researchers suggested it was a generic problem for most of them. The alert included a list of vendors, along with their VPN application vulnerability status. About 237 vendors were notified about the software vulnerabilities, but few were listed in the advisory as having responded at press time.

Palo Alto Networks did issue an advisory on the topic, recommending a software upgrade. It noted that "the endpoint would already have to be compromised for this vulnerability to work."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Drops 'Solorigate' for 'Nobelium' in Ongoing SolarWinds Attack Investigations

    Microsoft this week described "three new pieces" of malware that were used in the SolarWinds Orion espionage attacks dubbed "Solorigate," although Microsoft security researches are now calling it "Nobelium."

  • Microsoft Universal Print Service Commercially Released

    Microsoft announced on Tuesday that its Universal Print service is now commercially released at the "general availability" stage worldwide.

  • Restoring a Backup to Dissimilar Hardware: 3 Things To Watch Out For

    Getting a new desktop looking and feeling like the old one used to take a long time, but modern backup applications have greatly streamlined the process. Still, there are a few things to keep in mind to avoid potential issues.

  • Black Box

    Microsoft Releases Windows Server 2022 Preview

    Microsoft announced during its Ignite event that Window Server 2022 is currently availability at the preview stage.

comments powered by Disqus