U.S. CERT Issues Advisory on VPN Apps
The United States Computer Emergency Readiness Team (U.S. CERT) issued an alert this week about the improper storage of session data by virtual private network (VPN) applications, which could get leveraged by attackers.
VPNs are used to enable secure network connections. They're used in scenarios where remote workers might need to access corporate networks, for instance. However, researchers at the National Defense Information and Sharing Analysis Center have found that "multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files," according to the alert.
Attackers could use those vulnerabilities to gain access to network applications, the alert explained:
If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.
The researchers detected cookie log file storage issues in Palo Alto Networks GlobalProtect Agent 4.1.0 products for Windows and Macs, as well as Pulse Secure Connect Secure products "prior to 8.1R14, 8.2, 8.3R6, and 9.0R2."
Those products, as well as the Cisco AnyConnect 4.7.x products and earlier, also stored VPN session cookies insecurely in memory, according to the researchers.
Not all VPN application products have these cookie storage vulnerabilities, but the researchers suggested it was a generic problem for most of them. The alert included a list of vendors, along with their VPN application vulnerability status. About 237 vendors were notified about the software vulnerabilities, but few were listed in the advisory as having responded at press time.
Palo Alto Networks did issue an advisory on the topic, recommending a software upgrade. It noted that "the endpoint would already have to be compromised for this vulnerability to work."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.